LDAP with ssl
Hello Experts,
I just tried to set up a LDAP authentication with the built-in feature of the apex.
Because I wasn't able to make it work, I tried to set up my own LDAP authentication scheme with the following code:
create or replace package body "PKG_AUTH" is function FUNCTION_LDAP_1( P_PASSWORD IN VARCHAR2, P_USERNAME IN VARCHAR2 ) return BOOLEAN as p_dn varchar2(128) := 'cn=' || p_username || ',ou=XX,ou=YY,ou=ZZ,o=data'; p_ldap_host varchar2(128) := 'ServerHostName'; p_ldap_port number := <PORT>; l_retval pls_integer; l_retval2 pls_integer; l_session dbms_ldap.session; begin l_retval := -1; dbms_ldap.use_exception := TRUE; begin l_session := dbms_ldap.init( p_ldap_host, p_ldap_port ); -- Seems to work fine if i comment the next two lines. So I think the I'm able to contact the LDAP server. l_retval := dbms_ldap.simple_bind_s( l_session, p_dn, p_password ); -- if I execut this line, I get the error: "ORA-31202: DBMS_LDAP: LDAP-Client-/Server-Fehler: Can't contact LDAP server" l_retval2 := dbms_ldap.unbind_s( l_session ); return true; exception when others then l_retval2 := dbms_ldap.unbind_s( l_session ); APEX_DEBUG_MESSAGE.ENABLE_DEBUG_MESSAGES(p_level => 3); APEX_DEBUG_MESSAGE.LOG_MESSAGE( p_message => 'l_retval: ' || l_retval || dbms_utility.format_error_stack|| ' <|> ' || dbms_utility.format_error_backtrace, p_level => 1 ); return false; end; exception when others then return false; end FUNCTION_LDAP_1; end "PKG_AUTH";
I get an error ' LDAP-Client/Server-Fehler: failed to contact the LDAP server.
To me, it seems that the problem is in the line (please look at the comment in the code above too)
l_retval := dbms_ldap.simple_bind_s( l_session, p_dn, p_password );
Additional information:
- We have defined a All-Open-Rule to our ACL.
- On the front end, I get a Message "Invalid Credientials" (or something similar)
- Request Express 4.2.3.00.08
- I can connect to the LDAP with the code in the following thrad: Ping in PL SQL function
That's a reason more to my guess that I don't have a problem "cannot contact the LDAP server." I'm confused (due to this error)
- I think that we have not implemented a portfolio for our LDAP server. Do I really need?
On APEX_LDAP , they say, you need just a portfolio if you use "SSL with one-way authentication" (APEX_LDAP. AUTHENTICATE = > parameter:p_use_ssl)
But now the problem seems to have originated elsewhere. I I'm wrong?
Appreciate any help!
Ok. Use build you - in ldap auth. schme?
No. I still cannot do its job. I can connect using the following code:
declare l_ldapHost VARCHAR2(100) := 'your.ad.domain'; l_ldapPort NUMBER := 636; -- set your SSL port walletPassword VARCHAR2(30) := 'wallet_password'; l_retval pls_integer; l_session dbms_ldap.session; begin l_retval := -1; dbms_ldap.use_exception := TRUE; l_session := dbms_ldap.init(l_ldapHost, l_ldapPort); l_retval := dbms_ldap.open_ssl (l_session, 'file:/etc/oracle/wallets', walletPassword, 2); l_retval := DBMS_LDAP.simple_bind_s(l_session, :p_username, :p_password); dbms_output.put_line(l_retval); DBMS_LDAP.UNBIND_S(l_session); end;
You can use custom authentication.
But you must install the portfolio and add your domain root certificate to trusted certificates. And don't forget to change l_ldapHost, l_ldapPort, walletPassword, p_username, p_password to your values.
But why offer apex to a system of authorisation: built-in ldap where you can use ssl, and on the other hand they do not offer an opportunity to set a path to a portfolio of oracle?
Do we not have to install the portfolio to a special directory? (If we want to use the built-in schema auth). ?
See the documentation for APEX 2.4 managing settings for Instance to see how to install portfolio pending of the APEX.
Tags: Database
Similar Questions
-
LDAP over SSL doesn't work is not between ASA and AD server
Hi all.
We have configured clientless SSL WebVPN portal on an ASA5525 using LDAP authentication with an ad server. All is well until what we enable LDAP over SSL to allow users to change an expired password. They get just connection error every time, even if their password is correct.
The systems team have installed the necessary certificate on the AD server.
The newspaper of the ASDM I get
Joffrey.pcmtu.Keele.AC.UK marking AAA in aaa-Server CTU_LDAP04 group LDAP server down
Marking AAA 172.16.0.10 LDAP server group aaa-server active CTU_LDAP04On the ASA, I get the debugging ldap following 255
[50] starting a session
[50] new application Session, framework 0x00007fffddc99a60, reqType = authentication
[50] the fiber began
[50] create LDAP context with uri = ldaps://172.16.0.10:636
[50] to connect to the LDAP server: ldaps://172.16.0.10:636, status = failure
[50] cannot read the rootDSE. Cannot contact the LDAP server.
[50] output fiber Tx = 0 bytes Rx = 0 bytes, status =-2
[50] end of sessionOn the ad server, the systems team report TLS Fatal Alert Code 48 which is...
Received a valid certificate chain or partial string, but the certificate has been refused because the authority , could not be located or couldn't be matched with a known, trusted CA. This message is always fatal.
Can someone shed some light on where we need to look at.
Thank you. Richard.
Richard,
This could be due to:
https://Tools.Cisco.com/bugsearch/bug/CSCus71190/?reffering_site=dumpcr
M.
-
The IIOP listener/Manager with SSL security
Hello
I'm looking in securing client connections CORBA to ISL/ISH with SSL. The client authentication is not required, just the server authentication and encryption. After reviewing the documentation, I have a few questions about it.
1. the manual of ' security in the CORBA Applications using"indicates that an LDAP server is used as the repository of certificate for the certificate server ISL/ISH. Are there alternatives to this like using a key file or LDAP is the only option?
2. is it possible to configure the LDAP server (server name, port, etc.) without having to re - install Tuxedo?
Concerning
IanIan,
Tuxedo uses a plugin framework architecture to manage the certificates and it is possible to replace the plugin framework implementations.
In order to change the framework plugin interfaces that you need to get the information about the orders of FRP * and the framework of plugin, interfaces, and you will need to write code. Plugin framework documentation is made available on a basis as needed.
As documented in http://download.oracle.com/docs/cd/E15261_01/tuxedo/docs11gr1/sec/secadm.html#wp1239453, "For more information about security plug-ins, including the installation and configuration procedures, see your Oracle account manager."
The 'epifregedt g' command shows the current configuration of the plugin framework.
The command "epifregedt g k SYSTEM/impl/security/BEA/certificate_lookup" simply shows security/BEA/certificate_lookup interface settings.
The command "epifregedt g k SYSTEM/impl/security/BEA/certificate_lookup-a Params" shows that the parameters of this interface is instantiated.
Suppose that the result of this command is
Security/BEA/certificate_lookup of the ŒUVRE layoutInstantiation settings:
"userCertificateLdap = ldap://localhost:389".
'filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat '.Then the command
epifregedt s k SYSTEM/impl/security/BEA/certificate_lookup.
-a Params = userCertificateLdap = ldap://abcxyz:1389 /------.
-a Params=filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.datwill change the location of LDAP to ldap://abcxyz:1389.
Note that it is necessary to specify the filterFileLocation with this command, even if it does not evolve.Thus, it is not necessary to reinstall Tuxedo to change LDAP settings.
Because the registry change orders can be difficult to use, you can experiment with these commands on a development system or you can
Export REG_KEY_SYSTEM =System.rdp
CP $TUXDIR/udataobj/System.rdp $REG_KEY_SYSTEM
before experimenting with epifregedt-s. (the value of REG_KEY_SYSTEM replaces the default value of $TUXDIR/udataobj/System.rdp).Kind regards
Ed -
HLS (HTTP Live Streaming) with SSL
Hi guys
Could someone give me pointers, advice?
We tested CTS with and without AES and both work BB10.
Then we tested with SSL and the camera seems to use/send no certificates.
If we have our own SSL certificate, how can use us it via the MediaPlayer or WebView?
Kind regards
Pepe
Hello
The API of MediaPlayer Cascades currently does not allow this feature. However, you should be able to do this if you use the C API mm-made instead (the Cascades MediaPlayer API is a wrapper of the C mm-renderer API). This means you need bit more code together upwards and handling in C (instead of Qt/C++/QML) so just for reference, I'm pasting some links for reference:
* You can check funtion: mmr_context_parameters() - look for all parameters that you can pass (for example OPT_SSL_VERIFYPEER)
* Preview links of mm-rendering engine:
https://developer.BlackBerry.com/native/reference/BB10/mmrenderer_libref/topic/about.html
* A sample application that shows the implementation of mm-engine rendering contexts:
https://github.com/BlackBerry/NDK-samples/tree/master/VideoPlayback
(Note that it does not use the queue of the mm-engine event of rendering to hear updates of status here; but you should use that, instead of the BPS queue)
See you soon,.
Rashid
-
How to configure the listener with SSL
Hi Experts,
I use 11g R2 EE. I want to configure my database listener so that it can be connected using SSL.
Can someone provide me guide step by step to configure the listener with SSL (including the portfolio so that comes in the image).
The command line configurations will be well appreciated.
Thanks in advance
Alexander gelin
The client configuration is the same as the server:
1. create the portfolio.
2 creating CSR and copy it in CA.
3. the CSR signal with your certificate root.
4 copy signed CRT file and root of public certificate to the client.
5 configure the sqlnet.ora clients.
Heavy customers already contains the necessary files. For thin clients, it is necessary to install the full or instant client.
In SQLDeveloper, connection string should be like:
jdbc:oracle:oci:@(DESCRIPTION= (ADDRESS_LIST= (ADDRESS= (PROTOCOL=TCPS)(HOST=
)(PORT= ))) (CONNECT_DATA= (SERVICE_NAME= )) (SECURITY= (MY_WALLET_DIRECTORY=D:\Oracle\client.test.p12))) -
First time with SSL - teething problems
Hello
I have a new site and I decided to use the SSL - just very basic flavor.
I use flickr images and giving me the problem of popup in Internet Explorer by telling the user that there are secure and nonsecure items.
So now I think that maybe I should use the https:// on some of my pages to get the cycle which is but this flying object? Or I guess, not to use Flickr. Yet, on a bloggy kind of site, which wants to say that the content won't get pulled in from other sources not secure?
(The reason why I chose to go with SSL is because one) it is a site Wordpress, b) is a directory of companies set up where I'll be storing details of the company (but not charge for registration at this point and c) I wanted to learn more about SSL.
If anyone knows a decent tutorial SSL fo that has not been written for programmers, I'd love to have a look at this. Most of the things I've come across is either sales preamble location or you need to be a scientist to understand.
Thank you
Martin
[edit] And just to be clear, I think I want to say that most of my teething problems arose because I don't know what I'm doing - nothing new here.
Your absolute links to external sites should all use https protocol. Try it and see if that helps.
-
I am trying to connect to the server of my client, but he told me that he thinks that Dreamweaver cannot connect with the security of the explicit SSL mode and that is why I get errors trying to connect. I don't know a lot about FTP and servers. I tried the SFTP, but it does not work. I searched this forum and cannot find a direct answer to the question: help for FTP of Dreamweaver made explicit the connection with SSL? If not, are there components Add on that will help or I have to go with some other FTP or Fetch? I'm on Mac OS X 10.5.5.
Thank you
Brianyevri wrote:
> Draw?Actually reading more about explicit SSL from here:
http://ftpguide.com/explicit.htmI don't think that my previous suggestion will help. It looks like
Dreamweaver uses SFTP, SSH FTP based. You want FTPES, which
Only other clients like FileZilla can use. I don't see in any case to
CS3 FTPES, sorry.Dooza
--
Display guidelines
http://www.Adobe.com/support/forums/guidelines.html
How to ask Smart Questions
http://www.CatB.org/ESR/FAQs/smart-questions.html -
Problem with graphics with SSL active
Hi guys,.
IIS with SSL server on. Everything works well except the graphics. I get a warning signal in the middle of the graph in two - dashboards and responses. Has anyone seen this?
Thank youThe standard yellow triangle with the brand scream, you get when your host of Java is down?
-
Having a strange problem on my site. With the latest version of Firefox 36, whenever I try to download a file of type doc or pdf, I get the following error:
The secure connection failed
The connection to the server was reset while the page is loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Contact the Web site owners to inform them of this problem.It works on all other browsers and previous versions of firefox. This also works if the page does not use https. We checked on the SSL certificates and they are up-to-date. I'm just puzzled at the way in which certain types of files cause this problem.
I'm just using the following simple code to test:
<!DOCTYPE html> <html> <head> <title>File Upload</title> </head> <body> <form id="editTemplateMultipart-editForm" method="post" enctype="multipart/form-data"> <input type="file" name="myFile"> <button>Send the file</button> </form> </body> </html>
Thanks for your help
In fact, we just discovered the issue! Looks like it is the SSL accelerator back some errors of analysis. Had me technical support CISCO to examine it and they fixed.
-
Safari no longer works with SSL self-signed certificates?
With the last Safari (9.0.3) on OS X (running 10.11.3) and iOS (9.2.1) operating system, I can no longer connect to sites that use self-signed SSL certificates. Previously, I was warned that the site certificate was not "valid", but given the opportunity to continue anyway. This is the behavior I want to come back. It still works fine in Chrome, Firefox. but now just Safari gives me an error "Safari can't open the Page" as it would if it could not reach the server. Specifically, it says "Safari can't open the page https://myselfsignedhost.com because Safari is unable to establish a connection to the server myselfsignedhost.com.
It does not give me the opportunity to inspect the certificate, add the certificate to my keychain, trust the cert, ignore the warning once or anything else that would be useful... He's just pretending like it can't connect. Am I missing something? How to restore old functionality? This 'bug' makes safari completely useless for me.
OK, some info... This seems to apply only to SOME sites with self signed SSL CERT... The only obvious thing I can think is that maybe it applies to sites where the SSL certificate when the page was first loaded?
If I open a new window private, I can access the page without problem. If I open a new standard, I can also open the page, until I quit safari. Once I left, it stops loading with the same error...
If I manually add the SSL certificate to my keychain as being approved, the page also works... There may be a cache of certificate somewhere that is out of date?
-
Problem with ssl on ISA Server 2004 traffic shaping
Hello
I use "Bandwidthsplitter" addon for ISA Server 2004 (Enterprise Edition) for shaping traffic and quota control. I have a serious problem with it. This addon does not take into account the ssl traffic user, and I need to restart the Microsoft ISA Server priodically Control Service or allow the users to be connected via ssl until they themselves kill their session.
I will be grateful if someone help me to solve this problem.
Thanks in advance
Bijan
Hello
The question you posted would be better suited to the TechNet community. Please visit the link below to find a community that will support what ask you
http://social.technet.Microsoft.com/forums/en-us/Forefrontedgegeneral/threads
-
vmcli fails with SSL connection error against iDRAC 2.40.40.40
Hello community,
We recently received a handful of new servers to R730XD, bringing the iDRAC 2.40.40.40 firmware revision.
So far, we have been using vmcli for the Assembly of a local iso file during deployment - but now vmcli fails with "error: SSL connection error. It seems to relate to the firmware version iDRAC 2.30.30.30 works very well, while 2.40.40.40 fails with above mentioned error.
Anyone who has experienced - and ideas for the resolution/workaround?
/ Hans
To idrac, under iDRAC settings > network > Services and try to change the configuration of tls 1.1 to 1.0
-
Router WAN double with SSL VPN inaccessible for customers
I have a configured in a Dual WAN setup Cisco 888. There is an ADSL link connected to the VLAN 100 and a SDSL link associated with the Dialer0. The customer wishes to use the ADSL link to the normal navigation and external SSL VPN users to complete on the SDSL connection. I tried to configure the link failover for the ADSL SDSL.
What works:
-Access to the Internet for clients the
What does not work:
-The ADSL SDSL connection failover.
-Access SSL VPN for customers. Surf to the external IP address will cause only a page by default HTTP. Specification webvpn.html results in a 404 not found error.
Here is my configuration:
version 15.0
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
host name x
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 x
!
AAA new-model
!
!
AAA authentication login local sslvpn
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-3964912732
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3964912732
revocation checking no
rsakeypair TP-self-signed-3964912732
!
!
TP-self-signed-3964912732 crypto pki certificate chain
self-signed certificate 03
x
quit smoking
IP source-route
!
!
IP dhcp excluded-address 192.168.10.254
DHCP excluded-address IP 192.168.10.10 192.168.10.20
!
DHCP IP CCP-pool
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.254
DNS-server 213.75.63.36 213.75.63.70
Rental 2 0
!
!
IP cef
no ip domain search
property intellectual name x
No ipv6 cef
!
!
udi pid CISCO888-K9 sn x license
!
!
username secret privilege 15 ciscoadmin 5 x
username password vpnuser 0 x
!
!
LAN controller 0
atm mode
Annex symmetrical shdsl DSL-mode B
!
interface Loopback1
Gateway SSL dhcp pool address description
IP 192.168.250.1 255.255.255.0
!
interface Loopback2
Description address IP VPN SSL
IP 10.10.10.1 255.255.255.0
route PBR_SSL card intellectual property policy
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
ATM0 interface
no ip address
load-interval 30
No atm ilmi-keepalive
PVC KPN 2/32
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
LAN description
IP address 192.168.10.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1300
!
interface Vlan100
Description KPN ADSL 20/1
DHCP IP address
NAT outside IP
IP virtual-reassembly
!
interface Dialer0
Description KPN SDSL 2/2
the negotiated IP address
IP access-group INTERNET_ACL in
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP pap sent-username password 0 x x
No cdp enable
!
IP local pool sslvpnpool 192.168.250.2 192.168.250.100
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
pool nat SSLVPN SDSL 10.10.10.1 IP 10.10.10.1 netmask 255.255.255.0
IP nat inside source static tcp 10.10.10.1 443 interface Dialer0 443
IP nat inside source static tcp 10.10.10.1 80 Dialer0 80 interface
IP nat inside source overload map route NAT_ADSL Vlan100 interface
IP nat inside source overload map route NAT_SDSL pool SSLVPN SDSL
IP route 0.0.0.0 0.0.0.0 x.x.x.x
IP route 0.0.0.0 0.0.0.0 Dialer0 10
!
INTERNET_ACL extended IP access list
Note: used with CBAC
allow all all unreachable icmp
allow icmp all a package-too-big
allow icmp all once exceed
allow any host 92.64.32.169 eq 443 tcp www
deny ip any any newspaper
Extended access LAN IP-list
permit ip 192.168.10.0 0.0.0.255 any
refuse an entire ip
!
Dialer-list 1 ip protocol allow
not run cdp
!
!
!
!
NAT_SDSL allowed 10 route map
match the LAN ip address
match interface Dialer0
!
NAT_ADSL allowed 10 route map
match the LAN ip address
match interface Vlan100
!
PBR_SSL allowed 10 route map
set interface Dialer0
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
max-task-time 5000 Planner
!
WebVPN MyGateway gateway
hostname d0c
IP address 10.10.10.1 port 443
redirect http port 80
SSL trustpoint TP-self-signed-3964912732
development
!
WebVPN install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1
!
WebVPN install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 2
!
WebVPN install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.0217-k9.pkg sequence 3
!
WebVPN context SecureMeContext
title "SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
SSL authentication check all
!
login message "VPN".
!
Group Policy MyDefaultPolicy
functions compatible svc
SVC-pool of addresses "sslvpnpool."
SVC Dungeon-client-installed
Group Policy - by default-MyDefaultPolicy
AAA authentication list sslvpn
Gateway MyGateway
development
!
end
Any suggestions on where to look?
Hello
It works for me. When the client tries to resolve the fqdn for the domain specified in "svc split dns.." he will contact the DNS server assigned through the Tunnel. For all other questions, he contacts the DNS outside the Tunnel.
You can run a capture of packets on the physical interface on the Client to see the query DNS leaving?
Also in some routers, DNS is designated as the router itself (who is usually address 192.168.X.X), if you want to make sure that assigned DNS server doesn't not part of the Split Tunnel.
Naman
-
Series 3000 VPN hub with SSL problem
I use the http access to the vpn concentrator and install SSL on the page using IE 6. I open the file and installed successfully with the certificate in IE can I view the contents of the certificate through IE.
I allow cookies and java script of the security for IE tab. Why can I still access using https? Any other configuration that I left out? I use https to access the private interface have private ip address.
Kind regards
Sam
If you have been set up the certificate in a test environment, it may have the wrong IP address. Check under Administration | Management certificate that the IP address of your SSL certificate has the IP address of your interface. If you have changed the IP address since the generation of the certificate, it will no longer work. I'm assuming that you have configured everything properly under Configuration. System | Management protocols. SSL.
It will be useful,
Mark
-
Requirements of LDAP for SSL - VPN on ASR 1002
Hi all
I intend to implement SSL - VPN (AnyConnect) on a rputer ASR 1002 running IOS - XE Software Version 15.1 (3) S2.
I need to use LDAP for authentication of users and need to understand what are the requirements for RADIUS/GANYMEDE use LDAP.
What I have to use Cisco ACS or can I use something like Microsoft IAS or free Raduis?
Any helo will be greatly appreciated.
Thank you
Dmitry.
Yes, you can use either use LDAP, Radius or Ganymede protocols to authenticate users of SSL VPN.
You can use no matter what authentication server (doesn't have to be Cisco ACS), as long as they have either 3 supports authentication (ldap, radius or Ganymede) protocols.
Hope that answers your question.
Maybe you are looking for
-
Settings for the outgoing (SMTP) mail server for icloud
Settings for the outgoing (SMTP) mail server for icloud, please provide the setting advanced account. Thank you!
-
iPhone 6 no charge, turn on, show signs of life, etc.
Hello. I got this iPhone 6 for a month or two. It worked completely fine without any problem other than the occasional freeze. Then, today, the screen flickered and restarted. He went on the Apple logo. I have waited, but in vain. It wouldn't resume.
-
Chrome does not open in El Capitan, fine in Safe Mode
My Chrome browser opens that rarely when I start it. I'll try to start Chrome icon in the taskbar bounces for a bit and then nothing. If I ask her, I get the "Application not responding" and have to force quit. Every once in a while, it will be open
-
Cannot be used at all on Windows XP SP3, IE8
Hello The latest version of what I used was 6.1.999.130. I have this problem for a month. When I try to connect using my old MSN login it says "sorry, we did not recognize your connection details". The latest version crashes after launch. Windows XP
-
Hello everyone I have a PCI1500S7 of Applicom communication card. It's S7 - MPI, PPI, PROFIBUS card PLC S7 from SIEMENS. I need drivers for this card. And if it is possible National Instruments drivers or .llb Thank you Concerning