Solved

Ldap authentication is working for one user but doesn't work with the %LDAP_USER%

Posted on 2010-11-26
14
932 Views
Last Modified: 2012-05-10
Ldap authentication is working for one user with this string.

cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com

But not with

cn=%LDAP_USER%,OU=Users,OU=_company,DC=company,DC=com
Is there some thing to setup on the Active Directory side or on the Apex side?

0
Comment
Question by:meagain0707
  • 9
  • 3
  • 2
14 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 334 total points
ID: 34218894
The real question is what %LDAP_USER% translates to is it really seen as a variable that gets evaluated/replaced first with the correct term prior to submitting the query to AD.  Check the security log on the DC's and see what information it is presented for these queries.
0
 

Author Comment

by:meagain0707
ID: 34218926
Thanks, I will check this on Monday, as I don't have access today.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 166 total points
ID: 34226646
Also, are you sure it is cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com
 and not:
cn=Jay Smith,CN=Users,OU=_company,DC=company,DC=com

note the cn instead of ou !

I don't know anything about Apex....but do you even need the %%'s around the variable ? In VBscript, as long as the variable is defined previously, you just place the variable in the path:

myVal = "cn=" & LDAP_USER & ",cn=Users,OU=_company,DC=company,DC=com"
0
 

Author Comment

by:meagain0707
ID: 34270895
Hi shudman,

It is OU, when I change it to OU it does work at all. Thanks though.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34270923
OU or CN does or doesn't work ?
0
 

Author Comment

by:meagain0707
ID: 34270944
Hi Arnold,

It tanslates to the full name. So if I enter Joe Smith as the user name with the password it works. I want to authenticate so the user can enter jsmith@email.com. This is called the userPrincipleName. Any ideas on how to do that?  We are using apex 4.
0
 

Author Comment

by:meagain0707
ID: 34270971
Hi shudman,

Sorry,  when I change it to CN it does work at all.
0
 

Author Comment

by:meagain0707
ID: 34270976
Hi shudman,

Sorry,  when I change it to CN it doesn't -  'does not ' work at all.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34271000
OK.  Can you pipe out/display the value of %LDAP_USER% before you get to the cn= string in you code ?  What is the value ?
0
 

Author Comment

by:meagain0707
ID: 34271179
I don't know how to do that.

The documentation states:

Under LDAP Settings, Enter the LDAP configuration parameters. LDAP Host, LDAP Port, and LDAP DN string are required. Obtain the correct values for these from an administrator, if necessary. You must replace the username component of the DN string with the placeholder '%LDAP_USER%'. For example, if an actual DN string for user 'joe' would be:     cn=joe,l=amer,dc=oracle,dc=com
Enter the following for the LDAP DN String parameter:     cn=%LDAP_USER%,l=amer,dc=oracle,dc=com
The engine will take the value of upper(p_username) passed to the login API and replace %LDAP_USER% with it before making the call to DBMS_LDAP.SIMPLE_BIND_S.

The  Systems Administrator gave me this information:

CN=Joe Smith,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

I'm using

cn=%LDAP_USER%,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

 and this works when I use the username  Joe Smith

I would like to user either jsmith or jsmith@company.com. I don't see where I can change the authentication to use - userPrincipleName (jsmith@company.com)

I will keep searching and reading Thanks.


0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 334 total points
ID: 34272098
user@domain will likely need to use a strip mechanism since the domain is part of the string.
i.e. jsmith@domain.com will have the domain.com stripped out of the realm

You can try instead of %LDAP_USER% use %LDAP_USER:@company.com=%
This will strip out the @company.com if included prior to sending the data to the LDAP server as a query and should work.


0
 

Author Comment

by:meagain0707
ID: 34272166
Thanks arnold, I tired but it didn't work. The problem is; the %LDAP_USER% must lookup the 'Full name' and then check the password. I tried this too; removed the %LDAP_USER% and put back the Joe Smith. When I tested the login I used 'j9r7q49ty9-garbage' for the user name and the correct password for Joe Smith and it worked.

There must( ? ), rather,  might be a way to change it so it lookups up the userPrincipleName (jsmith@company.com) attribute instead of the common name attribute. So when you enter the user name jsmith@company.com  it authenticates to the column userPrincipleName attribute  instead of common name attribute.
0
 

Author Comment

by:meagain0707
ID: 34272467
I'm almost there.... I think. I had to use DBMS_LDAP package.... More on Monday.....
0
 

Author Closing Comment

by:meagain0707
ID: 34315206
I know what I have to do now, so I'm closing this question. Thanks
0

Join & Write a Comment

Introduction A previously published article on Experts Exchange ("Joins in Oracle", http://www.experts-exchange.com/Database/Oracle/A_8249-Joins-in-Oracle.html) makes a statement about "Oracle proprietary" joins and mixes the join syntax with gen…
Have you ever had to make fundamental changes to a table in Oracle, but haven't been able to get any downtime?  I'm talking things like: * Dropping columns * Shrinking allocated space * Removing chained blocks and restoring the PCTFREE * Re-or…
Via a live example, show how to take different types of Oracle backups using RMAN.
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now