LDAP with ssl

Hello Experts,

I just tried to set up a LDAP authentication with the built-in feature of the apex.

Because I wasn't able to make it work, I tried to set up my own LDAP authentication scheme with the following code:

create or replace package body "PKG_AUTH" is
function FUNCTION_LDAP_1( P_PASSWORD IN VARCHAR2, P_USERNAME IN VARCHAR2 ) return BOOLEAN

as
     p_dn varchar2(128) := 'cn=' || p_username || ',ou=XX,ou=YY,ou=ZZ,o=data';
     p_ldap_host varchar2(128) := 'ServerHostName';
     p_ldap_port number := <PORT>;
     l_retval pls_integer;
     l_retval2 pls_integer;
     l_session dbms_ldap.session;
begin
  l_retval := -1;
     dbms_ldap.use_exception := TRUE;
     begin
         l_session := dbms_ldap.init( p_ldap_host, p_ldap_port );                -- Seems to work fine if i comment the next two lines. So I think the I'm able to contact the LDAP server.   
         l_retval := dbms_ldap.simple_bind_s( l_session, p_dn, p_password );    -- if I execut this line, I get the error: "ORA-31202: DBMS_LDAP: LDAP-Client-/Server-Fehler: Can't contact LDAP server"
         l_retval2 := dbms_ldap.unbind_s( l_session );
         return true;
         exception when others then
               l_retval2 := dbms_ldap.unbind_s( l_session );
               APEX_DEBUG_MESSAGE.ENABLE_DEBUG_MESSAGES(p_level => 3);
               APEX_DEBUG_MESSAGE.LOG_MESSAGE(
                   p_message => 'l_retval: ' || l_retval || dbms_utility.format_error_stack|| ' <|> ' || dbms_utility.format_error_backtrace,
                   p_level => 1 );
         return false;
    end;
    exception when others then
    return false;
end FUNCTION_LDAP_1;

end "PKG_AUTH";

I get an error ' LDAP-Client/Server-Fehler: failed to contact the LDAP server.

To me, it seems that the problem is in the line (please look at the comment in the code above too)

l_retval := dbms_ldap.simple_bind_s( l_session, p_dn, p_password );

Additional information:

We have defined a All-Open-Rule to our ACL.
On the front end, I get a Message "Invalid Credientials" (or something similar)
Request Express 4.2.3.00.08
I can connect to the LDAP with the code in the following thrad: Ping in PL SQL function
That's a reason more to my guess that I don't have a problem "cannot contact the LDAP server."
I'm confused (due to this error)
I think that we have not implemented a portfolio for our LDAP server. Do I really need?
On APEX_LDAP , they say, you need just a portfolio if you use "SSL with one-way authentication" (APEX_LDAP. AUTHENTICATE = > parameter:p_use_ssl)
But now the problem seems to have originated elsewhere. I I'm wrong?

Appreciate any help!

Ok. Use build you - in ldap auth. schme?

No. I still cannot do its job. I can connect using the following code:

declare
   l_ldapHost VARCHAR2(100) := 'your.ad.domain';
   l_ldapPort NUMBER := 636; -- set your SSL port
   walletPassword VARCHAR2(30) := 'wallet_password';

   l_retval      pls_integer;
   l_session     dbms_ldap.session;

begin
      l_retval                := -1;

      dbms_ldap.use_exception := TRUE;

      l_session := dbms_ldap.init(l_ldapHost, l_ldapPort);

      l_retval := dbms_ldap.open_ssl (l_session, 'file:/etc/oracle/wallets', walletPassword, 2);

      l_retval := DBMS_LDAP.simple_bind_s(l_session, :p_username, :p_password);

      dbms_output.put_line(l_retval);
DBMS_LDAP.UNBIND_S(l_session);
end;

You can use custom authentication.

But you must install the portfolio and add your domain root certificate to trusted certificates. And don't forget to change l_ldapHost, l_ldapPort, walletPassword, p_username, p_password to your values.

But why offer apex to a system of authorisation: built-in ldap where you can use ssl, and on the other hand they do not offer an opportunity to set a path to a portfolio of oracle?

Do we not have to install the portfolio to a special directory? (If we want to use the built-in schema auth). ?

See the documentation for APEX 2.4 managing settings for Instance to see how to install portfolio pending of the APEX.

Tags: Database

Similar Questions

LDAP over SSL doesn't work is not between ASA and AD server

Hi all.

We have configured clientless SSL WebVPN portal on an ASA5525 using LDAP authentication with an ad server. All is well until what we enable LDAP over SSL to allow users to change an expired password. They get just connection error every time, even if their password is correct.

The systems team have installed the necessary certificate on the AD server.

The newspaper of the ASDM I get

Joffrey.pcmtu.Keele.AC.UK marking AAA in aaa-Server CTU_LDAP04 group LDAP server down
Marking AAA 172.16.0.10 LDAP server group aaa-server active CTU_LDAP04

On the ASA, I get the debugging ldap following 255

[50] starting a session
[50] new application Session, framework 0x00007fffddc99a60, reqType = authentication
[50] the fiber began
[50] create LDAP context with uri = ldaps://172.16.0.10:636
[50] to connect to the LDAP server: ldaps://172.16.0.10:636, status = failure
[50] cannot read the rootDSE. Cannot contact the LDAP server.
[50] output fiber Tx = 0 bytes Rx = 0 bytes, status =-2
[50] end of session

On the ad server, the systems team report TLS Fatal Alert Code 48 which is...

Received a valid certificate chain or partial string, but the certificate has been refused because the authority , could not be located or couldn't be matched with a known, trusted CA. This message is always fatal.

Can someone shed some light on where we need to look at.

Thank you. Richard.

Richard,

This could be due to:

https://Tools.Cisco.com/bugsearch/bug/CSCus71190/?reffering_site=dumpcr

M.

The IIOP listener/Manager with SSL security
Hello

I'm looking in securing client connections CORBA to ISL/ISH with SSL. The client authentication is not required, just the server authentication and encryption. After reviewing the documentation, I have a few questions about it.

1. the manual of ' security in the CORBA Applications using"indicates that an LDAP server is used as the repository of certificate for the certificate server ISL/ISH. Are there alternatives to this like using a key file or LDAP is the only option?

2. is it possible to configure the LDAP server (server name, port, etc.) without having to re - install Tuxedo?

Concerning
Ian
Ian,

Tuxedo uses a plugin framework architecture to manage the certificates and it is possible to replace the plugin framework implementations.

In order to change the framework plugin interfaces that you need to get the information about the orders of FRP * and the framework of plugin, interfaces, and you will need to write code. Plugin framework documentation is made available on a basis as needed.

As documented in http://download.oracle.com/docs/cd/E15261_01/tuxedo/docs11gr1/sec/secadm.html#wp1239453, "For more information about security plug-ins, including the installation and configuration procedures, see your Oracle account manager."

The 'epifregedt g' command shows the current configuration of the plugin framework.
The command "epifregedt g k SYSTEM/impl/security/BEA/certificate_lookup" simply shows security/BEA/certificate_lookup interface settings.
The command "epifregedt g k SYSTEM/impl/security/BEA/certificate_lookup-a Params" shows that the parameters of this interface is instantiated.
Suppose that the result of this command is
Security/BEA/certificate_lookup of the ŒUVRE layout

Instantiation settings:
"userCertificateLdap = ldap://localhost:389".
'filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat '.

Then the command
epifregedt s k SYSTEM/impl/security/BEA/certificate_lookup.
-a Params = userCertificateLdap = ldap://abcxyz:1389 /------.
-a Params=filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat

will change the location of LDAP to ldap://abcxyz:1389.
Note that it is necessary to specify the filterFileLocation with this command, even if it does not evolve.

Thus, it is not necessary to reinstall Tuxedo to change LDAP settings.

Because the registry change orders can be difficult to use, you can experiment with these commands on a development system or you can
Export REG_KEY_SYSTEM =System.rdp
CP $TUXDIR/udataobj/System.rdp $REG_KEY_SYSTEM
before experimenting with epifregedt-s. (the value of REG_KEY_SYSTEM replaces the default value of $TUXDIR/udataobj/System.rdp).

Kind regards
Ed

HLS (HTTP Live Streaming) with SSL

Hi guys

Could someone give me pointers, advice?

We tested CTS with and without AES and both work BB10.

Then we tested with SSL and the camera seems to use/send no certificates.

If we have our own SSL certificate, how can use us it via the MediaPlayer or WebView?

Kind regards

Pepe

Hello

The API of MediaPlayer Cascades currently does not allow this feature. However, you should be able to do this if you use the C API mm-made instead (the Cascades MediaPlayer API is a wrapper of the C mm-renderer API). This means you need bit more code together upwards and handling in C (instead of Qt/C++/QML) so just for reference, I'm pasting some links for reference:

* You can check funtion: mmr_context_parameters() - look for all parameters that you can pass (for example OPT_SSL_VERIFYPEER)

Link: https://developer.blackberry.com/native/reference/bb10/mmrenderer_libref/topic/mmr_api/mmr_context_p...

* Preview links of mm-rendering engine:

https://developer.BlackBerry.com/native/reference/BB10/mmrenderer_libref/topic/about.html

* A sample application that shows the implementation of mm-engine rendering contexts:

https://github.com/BlackBerry/NDK-samples/tree/master/VideoPlayback

(Note that it does not use the queue of the mm-engine event of rendering to hear updates of status here; but you should use that, instead of the BPS queue)

See you soon,.

Rashid

How to configure the listener with SSL

Hi Experts,
I use 11g R2 EE. I want to configure my database listener so that it can be connected using SSL.
Can someone provide me guide step by step to configure the listener with SSL (including the portfolio so that comes in the image).
The command line configurations will be well appreciated.
Thanks in advance
Alexander gelin

The client configuration is the same as the server:

1. create the portfolio.

2 creating CSR and copy it in CA.

3. the CSR signal with your certificate root.

4 copy signed CRT file and root of public certificate to the client.

5 configure the sqlnet.ora clients.

Heavy customers already contains the necessary files. For thin clients, it is necessary to install the full or instant client.

In SQLDeveloper, connection string should be like:

jdbc:oracle:oci:@(DESCRIPTION= (ADDRESS_LIST= (ADDRESS= (PROTOCOL=TCPS)(HOST=)(PORT=))) (CONNECT_DATA= (SERVICE_NAME=)) (SECURITY= (MY_WALLET_DIRECTORY=D:\Oracle\client.test.p12)))

First time with SSL - teething problems

Hello
I have a new site and I decided to use the SSL - just very basic flavor.
I use flickr images and giving me the problem of popup in Internet Explorer by telling the user that there are secure and nonsecure items.
So now I think that maybe I should use the https:// on some of my pages to get the cycle which is but this flying object? Or I guess, not to use Flickr. Yet, on a bloggy kind of site, which wants to say that the content won't get pulled in from other sources not secure?
(The reason why I chose to go with SSL is because one) it is a site Wordpress, b) is a directory of companies set up where I'll be storing details of the company (but not charge for registration at this point and c) I wanted to learn more about SSL.
If anyone knows a decent tutorial SSL fo that has not been written for programmers, I'd love to have a look at this. Most of the things I've come across is either sales preamble location or you need to be a scientist to understand.
Thank you
Martin
[edit] And just to be clear, I think I want to say that most of my teething problems arose because I don't know what I'm doing - nothing new here.

Your absolute links to external sites should all use https protocol. Try it and see if that helps.

DW FTP with SSL explicit
I am trying to connect to the server of my client, but he told me that he thinks that Dreamweaver cannot connect with the security of the explicit SSL mode and that is why I get errors trying to connect. I don't know a lot about FTP and servers. I tried the SFTP, but it does not work. I searched this forum and cannot find a direct answer to the question: help for FTP of Dreamweaver made explicit the connection with SSL? If not, are there components Add on that will help or I have to go with some other FTP or Fetch? I'm on Mac OS X 10.5.5.

Thank you

Brian
yevri wrote:
> Draw?

Actually reading more about explicit SSL from here:
http://ftpguide.com/explicit.htm

I don't think that my previous suggestion will help. It looks like
Dreamweaver uses SFTP, SSH FTP based. You want FTPES, which
Only other clients like FileZilla can use. I don't see in any case to
CS3 FTPES, sorry.

Dooza

--
Display guidelines
http://www.Adobe.com/support/forums/guidelines.html
How to ask Smart Questions
http://www.CatB.org/ESR/FAQs/smart-questions.html

Problem with graphics with SSL active
Hi guys,.
IIS with SSL server on. Everything works well except the graphics. I get a warning signal in the middle of the graph in two - dashboards and responses. Has anyone seen this?
Thank you
The standard yellow triangle with the brand scream, you get when your host of Java is down?

Error uploading file with SSL

Having a strange problem on my site. With the latest version of Firefox 36, whenever I try to download a file of type doc or pdf, I get the following error:

The secure connection failed

The connection to the server was reset while the page is loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Contact the Web site owners to inform them of this problem.

It works on all other browsers and previous versions of firefox. This also works if the page does not use https. We checked on the SSL certificates and they are up-to-date. I'm just puzzled at the way in which certain types of files cause this problem.

I'm just using the following simple code to test:
```
<!DOCTYPE html>
<html>
<head>
<title>File Upload</title>
</head>

<body>

<form id="editTemplateMultipart-editForm" method="post" enctype="multipart/form-data">
  <input type="file" name="myFile">
  <button>Send the file</button>
</form>

</body>
</html>
```
Thanks for your help

In fact, we just discovered the issue! Looks like it is the SSL accelerator back some errors of analysis. Had me technical support CISCO to examine it and they fixed.

Safari no longer works with SSL self-signed certificates?

With the last Safari (9.0.3) on OS X (running 10.11.3) and iOS (9.2.1) operating system, I can no longer connect to sites that use self-signed SSL certificates. Previously, I was warned that the site certificate was not "valid", but given the opportunity to continue anyway. This is the behavior I want to come back. It still works fine in Chrome, Firefox. but now just Safari gives me an error "Safari can't open the Page" as it would if it could not reach the server. Specifically, it says "Safari can't open the page https://myselfsignedhost.com because Safari is unable to establish a connection to the server myselfsignedhost.com.

It does not give me the opportunity to inspect the certificate, add the certificate to my keychain, trust the cert, ignore the warning once or anything else that would be useful... He's just pretending like it can't connect. Am I missing something? How to restore old functionality? This 'bug' makes safari completely useless for me.

OK, some info... This seems to apply only to SOME sites with self signed SSL CERT... The only obvious thing I can think is that maybe it applies to sites where the SSL certificate when the page was first loaded?

If I open a new window private, I can access the page without problem. If I open a new standard, I can also open the page, until I quit safari. Once I left, it stops loading with the same error...

If I manually add the SSL certificate to my keychain as being approved, the page also works... There may be a cache of certificate somewhere that is out of date?

Problem with ssl on ISA Server 2004 traffic shaping

Hello

I use "Bandwidthsplitter" addon for ISA Server 2004 (Enterprise Edition) for shaping traffic and quota control. I have a serious problem with it. This addon does not take into account the ssl traffic user, and I need to restart the Microsoft ISA Server priodically Control Service or allow the users to be connected via ssl until they themselves kill their session.

I will be grateful if someone help me to solve this problem.

Thanks in advance

Bijan

Hello

The question you posted would be better suited to the TechNet community. Please visit the link below to find a community that will support what ask you

http://social.technet.Microsoft.com/forums/en-us/Forefrontedgegeneral/threads

vmcli fails with SSL connection error against iDRAC 2.40.40.40

Hello community,

We recently received a handful of new servers to R730XD, bringing the iDRAC 2.40.40.40 firmware revision.

So far, we have been using vmcli for the Assembly of a local iso file during deployment - but now vmcli fails with "error: SSL connection error. It seems to relate to the firmware version iDRAC 2.30.30.30 works very well, while 2.40.40.40 fails with above mentioned error.

Anyone who has experienced - and ideas for the resolution/workaround?

/ Hans

To idrac, under iDRAC settings > network > Services and try to change the configuration of tls 1.1 to 1.0

Router WAN double with SSL VPN inaccessible for customers

I have a configured in a Dual WAN setup Cisco 888. There is an ADSL link connected to the VLAN 100 and a SDSL link associated with the Dialer0. The customer wishes to use the ADSL link to the normal navigation and external SSL VPN users to complete on the SDSL connection. I tried to configure the link failover for the ADSL SDSL.

What works:

-Access to the Internet for clients the

What does not work:

-The ADSL SDSL connection failover.

-Access SSL VPN for customers. Surf to the external IP address will cause only a page by default HTTP. Specification webvpn.html results in a 404 not found error.

Here is my configuration:

version 15.0

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

host name x

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 x

!

AAA new-model

!

!

AAA authentication login local sslvpn

!

!

!

!

!

AAA - the id of the joint session

iomem 10 memory size

!

Crypto pki trustpoint TP-self-signed-3964912732

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3964912732

revocation checking no

rsakeypair TP-self-signed-3964912732

!

!

TP-self-signed-3964912732 crypto pki certificate chain

self-signed certificate 03

x

quit smoking

IP source-route

!

!

IP dhcp excluded-address 192.168.10.254

DHCP excluded-address IP 192.168.10.10 192.168.10.20

!

DHCP IP CCP-pool

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.254

DNS-server 213.75.63.36 213.75.63.70

Rental 2 0

!

!

IP cef

no ip domain search

property intellectual name x

No ipv6 cef

!

!

udi pid CISCO888-K9 sn x license

!

!

username secret privilege 15 ciscoadmin 5 x

username password vpnuser 0 x

!

!

LAN controller 0

atm mode

Annex symmetrical shdsl DSL-mode B

!

interface Loopback1

Gateway SSL dhcp pool address description

IP 192.168.250.1 255.255.255.0

!

interface Loopback2

Description address IP VPN SSL

IP 10.10.10.1 255.255.255.0

route PBR_SSL card intellectual property policy

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

Multidrop ISDN endpoint

!

ATM0 interface

no ip address

load-interval 30

No atm ilmi-keepalive

PVC KPN 2/32

aal5mux encapsulation ppp Dialer

Dialer pool-member 1

!

!

interface FastEthernet0

switchport access vlan 100

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

LAN description

IP address 192.168.10.254 255.255.255.0

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1300

!

interface Vlan100

Description KPN ADSL 20/1

DHCP IP address

NAT outside IP

IP virtual-reassembly

!

interface Dialer0

Description KPN SDSL 2/2

the negotiated IP address

IP access-group INTERNET_ACL in

NAT outside IP

IP virtual-reassembly

encapsulation ppp

Dialer pool 1

Dialer-Group 1

PPP pap sent-username password 0 x x

No cdp enable

!

IP local pool sslvpnpool 192.168.250.2 192.168.250.100

IP forward-Protocol ND

IP http server

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

pool nat SSLVPN SDSL 10.10.10.1 IP 10.10.10.1 netmask 255.255.255.0

IP nat inside source static tcp 10.10.10.1 443 interface Dialer0 443

IP nat inside source static tcp 10.10.10.1 80 Dialer0 80 interface

IP nat inside source overload map route NAT_ADSL Vlan100 interface

IP nat inside source overload map route NAT_SDSL pool SSLVPN SDSL

IP route 0.0.0.0 0.0.0.0 x.x.x.x

IP route 0.0.0.0 0.0.0.0 Dialer0 10

!

INTERNET_ACL extended IP access list

Note: used with CBAC

allow all all unreachable icmp

allow icmp all a package-too-big

allow icmp all once exceed

allow any host 92.64.32.169 eq 443 tcp www

deny ip any any newspaper

Extended access LAN IP-list

permit ip 192.168.10.0 0.0.0.255 any

refuse an entire ip

!

Dialer-list 1 ip protocol allow

not run cdp

!

!

!

!

NAT_SDSL allowed 10 route map

match the LAN ip address

match interface Dialer0

!

NAT_ADSL allowed 10 route map

match the LAN ip address

match interface Vlan100

!

PBR_SSL allowed 10 route map

set interface Dialer0

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

max-task-time 5000 Planner

!

WebVPN MyGateway gateway

hostname d0c

IP address 10.10.10.1 port 443

redirect http port 80

SSL trustpoint TP-self-signed-3964912732

development

!

WebVPN install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1

!

WebVPN install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 2

!

WebVPN install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.0217-k9.pkg sequence 3

!

WebVPN context SecureMeContext

title "SSL VPN Service"

secondary-color #C0C0C0

title-color #808080

SSL authentication check all

!

login message "VPN".

!

Group Policy MyDefaultPolicy

functions compatible svc

SVC-pool of addresses "sslvpnpool."

SVC Dungeon-client-installed

Group Policy - by default-MyDefaultPolicy

AAA authentication list sslvpn

Gateway MyGateway

development

!

end

Any suggestions on where to look?

Hello

It works for me. When the client tries to resolve the fqdn for the domain specified in "svc split dns.." he will contact the DNS server assigned through the Tunnel. For all other questions, he contacts the DNS outside the Tunnel.

You can run a capture of packets on the physical interface on the Client to see the query DNS leaving?

Also in some routers, DNS is designated as the router itself (who is usually address 192.168.X.X), if you want to make sure that assigned DNS server doesn't not part of the Split Tunnel.

Naman

Series 3000 VPN hub with SSL problem

I use the http access to the vpn concentrator and install SSL on the page using IE 6. I open the file and installed successfully with the certificate in IE can I view the contents of the certificate through IE.

I allow cookies and java script of the security for IE tab. Why can I still access using https? Any other configuration that I left out? I use https to access the private interface have private ip address.

Kind regards

Sam

If you have been set up the certificate in a test environment, it may have the wrong IP address. Check under Administration | Management certificate that the IP address of your SSL certificate has the IP address of your interface. If you have changed the IP address since the generation of the certificate, it will no longer work. I'm assuming that you have configured everything properly under Configuration. System | Management protocols. SSL.

It will be useful,

Mark

Requirements of LDAP for SSL - VPN on ASR 1002

Hi all

I intend to implement SSL - VPN (AnyConnect) on a rputer ASR 1002 running IOS - XE Software Version 15.1 (3) S2.

I need to use LDAP for authentication of users and need to understand what are the requirements for RADIUS/GANYMEDE use LDAP.

What I have to use Cisco ACS or can I use something like Microsoft IAS or free Raduis?

Any helo will be greatly appreciated.

Thank you

Dmitry.

Yes, you can use either use LDAP, Radius or Ganymede protocols to authenticate users of SSL VPN.

You can use no matter what authentication server (doesn't have to be Cisco ACS), as long as they have either 3 supports authentication (ldap, radius or Ganymede) protocols.

Hope that answers your question.

LDAP with ssl

Similar Questions

Maybe you are looking for