LDAP Group Authorization
LDAP Group Authorization Tweet |
|
|
Categories:
Authorization Plugin
A plugin that uses DBMS_LDAP and DBMS_LDAP_UTL packages for looking up LDAP directories for authorization. I wrote this plugin as a convenience method for creating authorization schemes for the projects that I have been working on. The corporate directory tree structure required sub-tree searching that was not possible using the APEX_LDAP package. This is very much work in progress. If you would like to contribute or enhance the plugin, please feel free to fork the project on Github. Documentation to follow, but it is pretty self-explanatory. However, please feel free to contact me on Twitter (fuzziebrain) if you do need help or have any questions regarding the plugin. Last but not least, I have only tested the plugin to work with Novell eDirectory. If this works for you using other LDAP directories, e.g. Microsoft Active Directory, OpenLDAP or Apache DS, please do give me a shout. Thanks! :)
Special Requirements In Oracle 11g, the parsing schema needs to be granted the necessary connection privileges to the LDAP server. Keywords
ldap, subtree, sub-tree, searching, dbms_ldap |
Company:
Date added: 15.1.2013
Views:
4422
Votes:
0
Reviews:
3
Min. APEX Version:
4.1
Link to:
Download
If something is not correct please report it here:
Report Listing
|
Share on Digg
Save This Page|
Do you have a question about this Plugin? Want to write a Review or Comment?
Login first. Reviews / Questions / Comments are e-mailed to the author of the Plug-in. |
Re: getting ORA-24247 - though ACL is de
by Thomas Meyer
on February 12, 2013
Correct. I needed to do a
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE
for the existing ACL, addressing the parsing schema user.
Somewhat confusing: for the LDAP authorization to work correctly, it is sufficient to have principal APEX_040100. Now I see, that for each application schema that implements network operations, this setting has do be done, too.
Regards, Tom
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE
for the existing ACL, addressing the parsing schema user.
Somewhat confusing: for the LDAP authorization to work correctly, it is sufficient to have principal APEX_040100. Now I see, that for each application schema that implements network operations, this setting has do be done, too.
Regards, Tom
Re: getting ORA-24247 - though ACL is de
by Adrian Png
on February 11, 2013
Hi Tom,
Thanks for your feedback.
Did you also include the parsing schema in the ACL? This plugin uses the DBMS_LDAP and DBMS_LDAP_UTL package and runs as the parsing schema.
Best regards,
Adrian
Thanks for your feedback.
Did you also include the parsing schema in the ACL? This plugin uses the DBMS_LDAP and DBMS_LDAP_UTL package and runs as the parsing schema.
Best regards,
Adrian
getting ORA-24247 - though ACL is define
by Thomas Meyer
on February 11, 2013
Adrian,
this is a fine plug-in I believe. I have an issue though.
While I successfully run authentication to our OpenLDAP server, you
plugin will evoke an ORA-24247:
is_internal_error: true
apex_error_code: WWV_FLOW_PLUGIN_ENGINE.RUN_PLSQL_ERR
ora_sqlcode: -24247
ora_sqlerrm: ORA-24247: Netzwerkzugriff von Access Control-Liste (ACL) abgelehnt
component.type: APEX_APPLICATION_AUTHORIZATION
component.id: 107858606744715259
component.name: memberof_edv
error_backtrace:
ORA-06512: in "SYS.DBMS_LDAP_API_FFI", Zeile 25
ORA-06512: in "SYS.DBMS_LDAP", Zeile 48
ORA-06512: in Zeile 35
ORA-06512: in Zeile 68
ORA-06512: in "SYS.DBMS_SYS_SQL", Zeile 1926
ORA-06512: in "SYS.WWV_DBMS_SQL", Zeile 966
ORA-06512: in "SYS.WWV_DBMS_SQL", Zeile 992
ORA-06512: in "APEX_040100.WWV_FLOW_DYNAMIC_EXEC", Zeile 649
ORA-06512: in "APEX_040100.WWV_FLOW_PLUGIN_ENGINE", Zeile 983
This is quite a riddle, because I can successfully run the following
as APEX_040100:
SQL> alter session set current_schema=APEX_040100;
Session altered.
SQL> set serveroutput on
SQL> l
1 declare
2 l_session dbms_ldap.session;
3 l_dummy pls_integer;
4 begin
5 dbms_ldap.use_exception := TRUE;
6 l_session := dbms_ldap.init('ldap1.domain.cntry', 389 );
7 l_dummy := dbms_ldap.simple_bind_s(l_session, 'uid=auser,ou=people,dc=domain,dc=ctry', '123456');
8 dbms_output.put_line('authenticated');
9 l_dummy := dbms_ldap.unbind_s(l_session);
10 exception when others then
11 l_dummy := dbms_ldap.unbind_s(l_session);
12 raise;
13* end;
SQL> /
authenticated
PL/SQL procedure successfully completed.
SQL>
Regards, Tom
this is a fine plug-in I believe. I have an issue though.
While I successfully run authentication to our OpenLDAP server, you
plugin will evoke an ORA-24247:
is_internal_error: true
apex_error_code: WWV_FLOW_PLUGIN_ENGINE.RUN_PLSQL_ERR
ora_sqlcode: -24247
ora_sqlerrm: ORA-24247: Netzwerkzugriff von Access Control-Liste (ACL) abgelehnt
component.type: APEX_APPLICATION_AUTHORIZATION
component.id: 107858606744715259
component.name: memberof_edv
error_backtrace:
ORA-06512: in "SYS.DBMS_LDAP_API_FFI", Zeile 25
ORA-06512: in "SYS.DBMS_LDAP", Zeile 48
ORA-06512: in Zeile 35
ORA-06512: in Zeile 68
ORA-06512: in "SYS.DBMS_SYS_SQL", Zeile 1926
ORA-06512: in "SYS.WWV_DBMS_SQL", Zeile 966
ORA-06512: in "SYS.WWV_DBMS_SQL", Zeile 992
ORA-06512: in "APEX_040100.WWV_FLOW_DYNAMIC_EXEC", Zeile 649
ORA-06512: in "APEX_040100.WWV_FLOW_PLUGIN_ENGINE", Zeile 983
This is quite a riddle, because I can successfully run the following
as APEX_040100:
SQL> alter session set current_schema=APEX_040100;
Session altered.
SQL> set serveroutput on
SQL> l
1 declare
2 l_session dbms_ldap.session;
3 l_dummy pls_integer;
4 begin
5 dbms_ldap.use_exception := TRUE;
6 l_session := dbms_ldap.init('ldap1.domain.cntry', 389 );
7 l_dummy := dbms_ldap.simple_bind_s(l_session, 'uid=auser,ou=people,dc=domain,dc=ctry', '123456');
8 dbms_output.put_line('authenticated');
9 l_dummy := dbms_ldap.unbind_s(l_session);
10 exception when others then
11 l_dummy := dbms_ldap.unbind_s(l_session);
12 raise;
13* end;
SQL> /
authenticated
PL/SQL procedure successfully completed.
SQL>
Regards, Tom
January 16, 2013
The Entry has been updated in the meantime!
| Powered by Sigsiu.NET |  |