Solved

Ldap authentication is working for one user but doesn't work with the %LDAP_USER%

Posted on 2010-11-26
14
959 Views
Last Modified: 2012-05-10
Ldap authentication is working for one user with this string.

cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com

But not with

cn=%LDAP_USER%,OU=Users,OU=_company,DC=company,DC=com
Is there some thing to setup on the Active Directory side or on the Apex side?

0
Comment
Question by:meagain0707
  • 9
  • 3
  • 2
14 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 334 total points
ID: 34218894
The real question is what %LDAP_USER% translates to is it really seen as a variable that gets evaluated/replaced first with the correct term prior to submitting the query to AD.  Check the security log on the DC's and see what information it is presented for these queries.
0
 

Author Comment

by:meagain0707
ID: 34218926
Thanks, I will check this on Monday, as I don't have access today.
0
 
LVL 4

Assisted Solution

by:shudman
shudman earned 166 total points
ID: 34226646
Also, are you sure it is cn=Jay Smith,OU=Users,OU=_company,DC=company,DC=com
 and not:
cn=Jay Smith,CN=Users,OU=_company,DC=company,DC=com

note the cn instead of ou !

I don't know anything about Apex....but do you even need the %%'s around the variable ? In VBscript, as long as the variable is defined previously, you just place the variable in the path:

myVal = "cn=" & LDAP_USER & ",cn=Users,OU=_company,DC=company,DC=com"
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:meagain0707
ID: 34270895
Hi shudman,

It is OU, when I change it to OU it does work at all. Thanks though.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34270923
OU or CN does or doesn't work ?
0
 

Author Comment

by:meagain0707
ID: 34270944
Hi Arnold,

It tanslates to the full name. So if I enter Joe Smith as the user name with the password it works. I want to authenticate so the user can enter jsmith@email.com. This is called the userPrincipleName. Any ideas on how to do that?  We are using apex 4.
0
 

Author Comment

by:meagain0707
ID: 34270971
Hi shudman,

Sorry,  when I change it to CN it does work at all.
0
 

Author Comment

by:meagain0707
ID: 34270976
Hi shudman,

Sorry,  when I change it to CN it doesn't -  'does not ' work at all.
0
 
LVL 4

Expert Comment

by:shudman
ID: 34271000
OK.  Can you pipe out/display the value of %LDAP_USER% before you get to the cn= string in you code ?  What is the value ?
0
 

Author Comment

by:meagain0707
ID: 34271179
I don't know how to do that.

The documentation states:

Under LDAP Settings, Enter the LDAP configuration parameters. LDAP Host, LDAP Port, and LDAP DN string are required. Obtain the correct values for these from an administrator, if necessary. You must replace the username component of the DN string with the placeholder '%LDAP_USER%'. For example, if an actual DN string for user 'joe' would be:     cn=joe,l=amer,dc=oracle,dc=com
Enter the following for the LDAP DN String parameter:     cn=%LDAP_USER%,l=amer,dc=oracle,dc=com
The engine will take the value of upper(p_username) passed to the login API and replace %LDAP_USER% with it before making the call to DBMS_LDAP.SIMPLE_BIND_S.

The  Systems Administrator gave me this information:

CN=Joe Smith,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

I'm using

cn=%LDAP_USER%,OU=HO,OU=Users,OU=_Company,DC=company,DC=com

 and this works when I use the username  Joe Smith

I would like to user either jsmith or jsmith@company.com. I don't see where I can change the authentication to use - userPrincipleName (jsmith@company.com)

I will keep searching and reading Thanks.


0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 334 total points
ID: 34272098
user@domain will likely need to use a strip mechanism since the domain is part of the string.
i.e. jsmith@domain.com will have the domain.com stripped out of the realm

You can try instead of %LDAP_USER% use %LDAP_USER:@company.com=%
This will strip out the @company.com if included prior to sending the data to the LDAP server as a query and should work.


0
 

Author Comment

by:meagain0707
ID: 34272166
Thanks arnold, I tired but it didn't work. The problem is; the %LDAP_USER% must lookup the 'Full name' and then check the password. I tried this too; removed the %LDAP_USER% and put back the Joe Smith. When I tested the login I used 'j9r7q49ty9-garbage' for the user name and the correct password for Joe Smith and it worked.

There must( ? ), rather,  might be a way to change it so it lookups up the userPrincipleName (jsmith@company.com) attribute instead of the common name attribute. So when you enter the user name jsmith@company.com  it authenticates to the column userPrincipleName attribute  instead of common name attribute.
0
 

Author Comment

by:meagain0707
ID: 34272467
I'm almost there.... I think. I had to use DBMS_LDAP package.... More on Monday.....
0
 

Author Closing Comment

by:meagain0707
ID: 34315206
I know what I have to do now, so I'm closing this question. Thanks
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
This video shows how to Export data from an Oracle database using the Datapump Export Utility.  The corresponding Datapump Import utility is also discussed and demonstrated.
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question