Mixed (LDAP + APEX accounts) authentication in Apex 4.2.3

Similar Questions

• Default password for LDAP sync accounts that do not use LDAP authentication

  We use CUCM 10.5.1.  We have enabled LDAP and installation directories.  I can see the previous local users and new users sync ldap.  I know that if there was a previous local user with the same user as the new ldap user ID, this account is converted into an ldap account and I guess the password stay the same before ldap integration.   But what of the new ldap sync protocol accounts?  I see that there is a field of password for them, but what is the default password for these newly created accounts and where I can edit this default password?

  I do not have a 10.x here, but on previous versions, "credentials political default" sets the default password.

  It was under the management/diploma default user policy. Choose the 'end user' political 'password' and put the default value you want here. It may be in a slightly different place from 10.x

  Aaron

• The research of LDAP attributes after authentication

  All,
  Secure thanks to Tyler Muth on LDAP blog, I was able to get the authentication works with our SunOne LDAP using a custom authentication scheme. Apex does not natively support SSL authentication where you must use a binding secure LDAP with a domain name of service (which has its own userID and password) before you pass the user name, password of the real user.
  
  Now I'm recovering attributes on this authenticated user - like attributes that are in the LDAP directory, Department, title, etc. Does anyone have any suggestions - code examples would be great? I looked at the example in Pro Application Express book but what confuses me, is how to pass the user name that you have authentication to a function call to the 'dbms_ldap.search '. Authentication closes the LDAP session, once the user is authenticated. So now I'm in the application with this "APP_USER. I believe that I now have to do the following steps, but do not know how to accomplish:
  
  1.), I need to re - open an LDAP session (I guess I still need to re - link with LDAP using my service Dn and the password as the Auth service custom that was done right).
  2.) I need to go to the LDAP search the current ' APP_USER and start to recover the other attributes - our Administrator said LDAP I can search on this "UID" as it is in our LDAP store. "
  3.) there is a code on a custom function of LDAPQuery (built on dbms_ldap.search) in 'Pro Oracle Application Express', but it sends the data to a table and then made a request on the table to retrieve attributes.
  
  The code in 'Pro App Express' does not require that initial secure bind DN Service (service username, password) (attributed to me by our LDAP admin). Looks like it is assuming that the binding user is one whose attributes are sent to the function call LDAPQuery (user and password settings), but this is not the case in my situation. I want to interview based on the currently logged in 'APP_USER' and retrieve data from attribute in the elements of form input on the page that the user has just been authenticated in.
  
  Any help would be appreciated - especially if you have already done this and have a code example!
  
  Thank you
  Pat

  Hello

  try to change this line

  l_attrs: = 'ndtitle, title, nddepartment ';

  TO

  l_attrs (1): = "ndtitle";
  l_attr (2): = 'title';
  l_attr (3): = nddepartment';

  Kind regards
  Shijesh

• UCS LDAP and Native authentication

  Hello

  We put the Native authentication for LDAP and UCS Manager connection to LDAP as well. We are able to connect to GUI & SSH using the LDAP account. But can not connect on the GUI using the local account (admin).

  If I change the Native authentication at the local level, we can connect to GUI via local account (admin), but can not connect to SSH via LDAP account.

  Missing something?

  Please let me know.

  / Rags

  Hello

  When you have changed the native auth to LDAP and use local account, are you prefixing the local username with the local domain auth?

  * From Linux / MAC machine

  SSH ucs -------@.

  SSH-l ucs -.

  SSH -l ucs -.

  * From client PuTTY

  Connect as: ucs -.

  NOTE the domain name is case-sensitive and must match the name field set up in UCSM.

  Try connecting with the name in domainsername and let us know the result.

  Padma

• External LDAP user not authenticated

  Hello

  Using Weblogic 12.1.2 I created an Active Directory authenticator and can connect to our Windows Active Directory so that it will give the list of users, that I care to see in the 'Users and groups' tab of the Weblogic administration console.  However, when I try to use my Java process authentication, it indicates that the user cannot be authenticated (LoginException java security survey).  This same code works in a different environment with Active Directory configuration.  If I use our weblogic user default ' local' (one who is allowed to start the server), I do not see the exception and the user is authenticated.  Anyone know how I can get my "external LDAP user" to authenticate and why he would be treated differently from a 'local' user or why it would be different depending on the environment?

  Thank you!

  Hello

  Able to connect to the weblogic console you use Active directory users.

  1. check if you are able to see all the users in the Weblogic console.

  Areas of security ===> myrealm ===> users and groups

  2. also did you add the user or group in the global section.

  Take a look at the link for the reference of AD with Weblogic configuration below.

  Configuring Active Directory with Weblogic Server 10.3.6 - weblogicexpert

  3. check control flags what took.

  Defined as "SUFFICIENT".

  It may be useful

• CF stand-alone Windows Server 2003 user account authentication

  I'm new to the forum, so forgive me if this has been asked before. I did a search, but not found a solution (although my research skills failed me in the past). In addition, I'm not the developer, but the person is trying to "herd cats" so this application can be used by our corporate community.

  We are running CF 8 on a stand-alone server to Windows 2003 in a DMZ; No AD integration.  Currently, users must enter a username/password pair in the dialog box presented by Windows (anonymous access is disabled), after which they are presented with a secondary Web page connection, by the application.  I would like to eliminate the second connection and have the credentials of the window placed directly at the CF after authentication.  Is this possible?

  Any information I can provide the developer would be GREATLY appreciated.

  Kind regards

  Michael

  Hi Michael,

  Yes, it is possible.

  NTML authentication creates a CGI variable called 'AUTH_USER' variable (try to view as, #CGI.) AUTH_USER #), who in ColdFusion, you can post to authenticate users.

  HTH

• Change the administrator account inaccessible apex because of the authentication scheme

  
  Dear all,

  "By mistake I changed the Admin of my Oracle Apex application account authentication scheme to ' Oracle Application Server Single Sign-On. The application is hosted on a Linux server. Now, I'm not able to access the application and get this message"

  WWSEC_SSO_ENABLER_PRIVATE package does not exist or is not valid.

  Please ask your administrator to Application Express to configure the engine to Oracle Application Server Single Sign-On. »

  Someone could please help me out here and let me know how can I change this back to demand Express accounts? If there is no script that can reset to default, or whatever it is?

  Thank you

  Hi najet-Oracle,.

  Christophe-Oracle wrote:

  "By mistake I changed the Admin of my Oracle Apex application account authentication scheme to ' Oracle Application Server Single Sign-On. The application is hosted on a Linux server. Now, I'm not able to access the application and get this message"

  WWSEC_SSO_ENABLER_PRIVATE package does not exist or is not valid.

  Please ask your administrator to Application Express to configure the engine to Oracle Application Server Single Sign-On. »

  Someone could please help me out here and let me know how can I change this back to demand Express accounts? If there is no script that can reset to default, or whatever it is?

  Connect to the SYS user with SYSDBA privilege and to do this:

  ALTER SESSION SET CURRENT_SCHEMA = APEX_050000;
  
  BEGIN
      APEX_INSTANCE_ADMIN.SET_PARAMETER('APEX_BUILDER_AUTHENTICATION', 'APEX');
      COMMIT;
  END;
  /
  

  Reference:

  • http://docs.Oracle.com/CD/E59726_01/doc.50/e39149/apex_instance.htm#AEAPI246
  • http://docs.Oracle.com/CD/E59726_01/doc.50/e39149/apex_instance.htm#AEAPI248

  I hope this helps!

  Kind regards

  Kiran

• Problem with LDAP in the APEX and not in sql query * more

  Hello everyone.
  
  Hereby, I refer to an existing thread: Query LDAP APEX
  
  I have a problem using LDAP in the APEX (DB version: 11.2.0.2.0;) APEX version: 4.0)
  
  I get "Authentication failed" by their SUMMIT. However, when I run it in SQL * more (SQL Developer) (I created it as seen in the referenced forum thread) it works! Can I use my own function, but that looks like reinventing the wheel.
  

      l_ldap_host := 'oursite.be';
      l_ldap_port := '389';
      l_ldap_domn := 'oursite';
      l_ldap_user := i_username;
      l_ldap_pass := i_pw;
      l_ldap_base := 'ou=oursite,dc=oursite,dc=be';
  
  
      dbms_ldap.use_exception := true;
      
      l_session  := dbms_ldap.init(l_ldap_host,l_ldap_port);
      l_retval   := dbms_ldap.simple_bind_s(l_session, l_ldap_domn||'\'||l_ldap_user, l_ldap_pass);    
      l_attrs(1) := 'name';
      l_attrs(2) := 'title';
      l_retval   := dbms_ldap.search_s(
                      l_session, 
                      l_ldap_base, 
                      dbms_ldap.scope_subtree, 
                      '(sAMAccountName='||l_ldap_user||')',
                      l_attrs,
                      0,
                      l_message
                    );
  
      l_retval := dbms_ldap.count_entries(l_session, l_message);

  We must search the sAMAccountName because that contains our login credentials (dennis.surname). The common name is just our full name (Dennis Surname)
  
  
  At the SUMMIT, I have these settings:
  
  * LDAP host: oursite.be
  * Port: 389
  Use SSL: No SSL
  Use exact DN: No.
  * String DN: ou = oursite, dc = oursite, dc = be
  * Search filter: sAMAccountName = % LDAP_USER %
  
  
  When I try to test it I get "Authentication failed" but I don't know why. It works very well in sql * more (in the the same pattern of course!) so I have really no idea what I'm doing wrong. In addition, the message comes instantly and sql * more it takes about a second to authenticate.
  
  I tried so many things! remove the 'or '. Connect with my name, change 'cn = % LDAP_USER %' filter, connect with dennis.surname and Dennis Surname, using exact DN,... and all the possible combinations of them... Nothing works.
  
  I can go further by using my own function, but I really want to use the settings of the APEX, because it's so much easier.
  
  Thanks in advance for help out me!
  Dennis

  Hi Dennis,

  Try this

  The exact use DN Yes value
  Change your DN string to

  %LDAP_USER%@domain
  

  or

  domain\%LDAP_USER%
  

  The authentication uses a simple_bind_s. You must use the same syntax in these text boxes. You actually do a single with bond

  dbms_ldap.simple_bind_s(l_session, 'sAMAccountName=' || l_ldap_user, l_ldap_pass);
  

  It does not work. It's the syntax to use in the search for search_s filter.

  Please keep in mind that the apex_040100 (for apex 4.1) user must connect the rights on the domain server.

• Apex authentication scheme

  Hi all
  
  -First of all, I created two individual applications with the shceme of authentication
  -then I want to create the account authentication shceme database in the first request, which must take place at the second asking too much (I mean a single sign on for both applications).
  
  Please someone help me

  Hello
  Create an authentication scheme in your 2nd application, modify the plan that you create and use "Reference Master Authentication Scheme From" the authentication scheme developed 2nd application you plan 'Master' in the application 1.

  HTH,

  Mike

• How can I publish my Application current Apex

  I'm having a problem with my request, and I think the best way would be to my request so that others can see what I mean.
  Thank you
  Jeremy

  Jeremy H says:
  Thank you. I'm on apex.oracle.com environment, but I guess my question is what is the best way to create a connection of guest?

  The easiest way is to use the Application Express accounts authentication scheme and create developer or final user accounts depending on whether you wanted just other people to run your application or watch in the constructor of the App, then validate the credentials of the area of work/name of user and password in the relevant thread here.

  And how to specify what pages they are allowed to see, etc. ?

  If you consider your request code/the data to be sensitive and require this level of control when troubleshooting on apex.oracle.com, then you should not post here. (Production data should never be used here anyway.)

  Create a battery tests application reduced by using patterns Oracle demo that reproduces the problem.

• How to choose the LDAP settings in the authentication scheme?

  Hello
  
  I'm not LDAP expert by any stretch of the imagination ("newbie" would probably be a much better description of my 'expert' level), so please help me understand in simple terms why I'm not going to put up the correct authentication scheme.
  
  When you use Softerra LDAP Browser 2.6 from my PC (where Apex 3.2 is also running in an instance of Oracle 11 g), I can successfully connect to an LDAP service and see all of the directory by using the following parameters:
  -Host: 10.34.70.236
  -Port: 389
  -User DN: cn = RIS, OU = RIS, or = Applications, OU = Services, o = BMGC
  -Password is empty
  
  When you configure the LDAP authentication scheme, I use the same settings:
  -LDAP host: 10.34.70.236
  -LDAP Port: 389
  -String LDAP DN: cn = RIS, or = RIS, ou = Applications, OU = Services, o = BMGC
  
  When you try to log in with my user name, I get error of authentication fr.
  
  -How is it supposed to work?
  -How is he (supposedly) find my user name in LDAP full?
  -How the LDAP_USER parameter is used?
  -Where can I learn more about this topic?
  - And finally and above all, how can I make this work as any user in the LDAP service can connect but no one else do?
  
  Thanks in advance,
  
  Gabor

  In the LDAP DN string field, you would put % LDAP_USER % where you want your user name typed-in (from the logon page) to go, for example,.

  CN = % LDAP_USER %, or = RIS, or = Applications, OU = Services, o = BMGC

  This becomes the DN DBMS_LDAP argument. SIMPLE_BIND_S and the password for your login page is used as the argument of PASSWD SIMPLE_BIND_S.

  How is it (supposedly) find my user name in LDAP full?

  You must know the exact structure of the directory to find out where your username is present.

  And finally and above all, how can I make this work as any user in the LDAP service can connect but no one else?

  If the verification of user name and password succeeds on the LDAP directory, then authentication is successful and that the user will be connected. I don't know what is the other case.

  Scott

• Syntax of the apex to create edit link

  Apex 4.2

  I have a report that I'm working on that uses a custom edit link embedded in the query. The query along the lines of:

  SELECT
  first_name as FIRST,
  last_name as LAST,
  '<a href="f?p=&APP_ID.:67:APP_SESSION.::::P67_PERSON_ID:#PERSON_ID#"><img src = "/i/edit.gif" alt=""></a>' as LINK_COLUMN
  FROM PERSONS
  

  I want to report link to the information page (Page 67; report is on page 66). However, there is a problem with the syntax. On the report, I can click on the link for each line. It'll take me to the next page, but his has not managed the information on the next page, based on the past PERSON_ID.

  I think another way would also use javascript.apex: submit {} but I'm not as familiar with this syntax as well. I did some searching on google but I encounter difficulties still generate this link.

  Any help on this would be greatly appreciated. Thanks in advance.

  You mix the Apex syntax (like token #PERSON # and & substitution variables) with SQL syntax - and expect that everything works like magic.

  The syntax of the token # is applicable only in the column properties (for example, the definition of HTML column or column URL/link definition) in a report of the Apex. It has no meaning in SQL.

  If you want to generate the URL under the projection of the SQL then use:

  select
    first_name as FIRST,
    last_name as LAST,
    '' as URL
  from persons
  

  And as Frank commented - please use the correct forum area in the future when ask what apex questions.

• Authentication LDAP BI publisher

  Hello
  
  I try to activate the AD for BI publisher authentication. I tried most of the possible LDAP configuration settings. But when I try to connect, it throws the following error.
  
  The server cannot be used because of a configuration error, please contact the administrator. If you are the administrator, please see the BI Publisher user guide for the correct configuration.
  Detail of the error
  
  Previous
  
  oracle.apps.xdo.security.ValidateException
  
  Should I create the roles of BI Publisher in the LDAP server for authentication LDAP for BI publisher.
  
  Kindly let me know if anyone have solution for the same.
  
  Thank you and best regards,
  Rajesh J
  
  Edited by: sj_rajesh may 18, 2010 16:49

  Here is an example of an LDAP with ADSI integration:
  http://gerardnico.com/wiki/dat/BIP/ldap_adsi

  And Yes, you must create the group in the LDAP directory. They are imported when the Beeping starts.

  See you soon
  Nico

• Use a database account - not anonymous

  Hey everybody,
  
  I am building an APEX application to replace an existing forms application, I use Oracle users to access the APEX.
  Since some parts of the security of the application are on our ban of certain users of data views.
  I know that many people will switch to the solution of 'Use the built-in database APEX account authentication scheme'.
  
  However, this will not work given the APEX is not actually use this account at the session, simply uses the credentials to authenticate. Some of our bad hair removal questions and in update of our database triggers lines defines the fields last_update_user to ANONYMOUS.
  
  Y at - it anyway we can authenticate and connect to the APEX, with a user Oracle? Anyway is to override the setting diagram analysis?
  
  Your help is very appreciated.
  
  If anyone has any alternative ideas to my problem, I'm open to their decision-making.

  Cody,

  However, this will not work given the APEX is not actually use this account at the session, simply uses the credentials to authenticate. Some of our bad hair removal questions and in update of our database triggers lines defines the fields last_update_user to ANONYMOUS.

  That is right. You can change triggers to save nvl (v ('APP_USER'), user) to address this aspect.

  With respect to the control of access to data, your application should use v ('APP_USER') (the authenticated user name) logical system of authorisation, the VPD predicates, or conditions. If roles were used in the original application, this logic must be unraveled and converted into queries on views like dba_role_privs so that their role/privilege assignments can be discovered by your authorization logic without any particular role actually enabled at the database session. (Roles are never activated during the analysis of the stored procedures of the author's rights).

  Y at - it anyway we can authenticate and connect to the APEX, with a user Oracle?

  No, not really.

  Anyway is to override the setting diagram analysis?

  Not, and would not help with that, I don't think. The tables and other database objects exist in this analysis a schema.

  Scott

• ASA 9.0.2 - LDAP, MS AD, ldap-base-dn CN problem

  Hello

  I configured the LDAP on ASA authentication for VPN users. In MS AD, I have a group called 'VPN_Users' but this is CN.

  LDAP-base-dn CN = VPN_Users, OR = users, DC = company, DC = local

  The path identified in AD shows:

  DN: CN = VPN_Users, OR = users, DC = company, DC = local

  I want to allow only the users who are in the group mentioned. But it does not work. It seems that '' CN = VPN_Users '' is not one recognized as a group but it is.

  Any idea? or experience? Its IOS bug or what.

  Thank you.

  HI Matus,

  This is what you need.

  Configuration to limit access to a particular group of windows on AD

  LDAP LDAP of attribute-map-MAP

  name of the memberOf IETF-Radius-class card

  map-value memberOf CN = VPN_Users, OR = users, DC = company, DC = local

  !

  ! --- Name of group policy should be the group policy that you have configured on ASA-

  !

  AAA-Server LDAP-AD ldap Protocol

  AAA-Server LDAP-AD

  Server-port 389

  LDAP-base-dn DC = company, DC = local

  LDAP-scope subtree

  LDAP-naming-attribute sAMAccountName

  LDAP-connection-dn

  LDAP-login-password

  microsoft server type

  LDAP-attribute-map LDAP-map

  !

  !

  Group Policy internal

  attributes of group policy

  VPN - connections 3

  Protocol-tunnel-VPN IPSec l2tp ipsec...

  value of address pools

  !

  !

  internal group noaccess strategy

  attributes of the strategy group noaccess

  VPN - connections 1

  address pools no

  !

  !

  type of tunnel-group-remote access

  global-tunnel-group attributes

  Group-AD-LDAP authentication server

  NoAccess by default-group-policy

  Just in case, it does not work for you. Get the following information:

  Turn on the 'debugging ldap 255' group on the SAA and to connect with a user account that belongs to the Users of VPN

  1.] show run ldap

  2.] show aaa Server

  3.] see the tunnel-group race

  4.] show run Group Policy

  OR

  You can provide SH RUN of the SAA.

  Jatin kone
  -Does the rate of useful messages