separate authentication and authorization for Active directory groups
Hi all
After a long search and failure, I write the question.
I use apex oracle 4.2 on windows server 2012 on oracle 12 c, all 64 bits.
We have configured Microsoft Active directory with LDAP.
in LDAP, we have a core group which is say A and an is down there students and the two groups.
According to the staff, there are many other groups and students, there are a lot of groups.
I created a mobile application, it has a main page that is publicly accessible without username and password.
in this home page, I have a list that contains two elements, personnel and another is a student.
When one of the list item, the login screen appears.
now I want to control when the user clicks on the staff list, only personnel should be authenticated.
If the end user is a student, it doesn't have to be authenticated.
the same goes for the student list item, if the end-user click on list of students, only students must be authenticated.
someone please guide me, I'm failed in research and testing.
Thank you.
Kind regards.
Hi Maahjoor,
Try this (it is written all the attributes for the user) by logging in to your schema to SQL Developer:
DECLARE
-- Adjust as necessary.
l_ldap_host VARCHAR2(256) := 'hct.org';
l_ldap_port VARCHAR2(256) := '389';
l_ldap_user VARCHAR2(256) := 'cn=hct\itnew';
l_ldap_passwd VARCHAR2(256) := 'itnew';
l_ldap_base VARCHAR2(256) := 'DC=hct,DC=org';
l_retval PLS_INTEGER;
l_session DBMS_LDAP.session;
l_attrs DBMS_LDAP.string_collection;
l_message DBMS_LDAP.message;
l_entry DBMS_LDAP.message;
l_attr_name VARCHAR2(256);
l_ber_element DBMS_LDAP.ber_element;
l_vals DBMS_LDAP.string_collection;
BEGIN
-- Choose to raise exceptions.
DBMS_LDAP.USE_EXCEPTION := TRUE;
-- Connect to the LDAP server.
l_session := DBMS_LDAP.init(hostname => l_ldap_host,
portnum => l_ldap_port);
l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_ldap_user||','||l_ldap_base,
passwd => l_ldap_passwd);
-- Get all attributes
l_attrs(1) := '*'; -- retrieve all attributes
l_retval := DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => l_ldap_user,
attrs => l_attrs,
attronly => 0,
res => l_message);
IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
-- Get all the entries returned by our search.
l_entry := DBMS_LDAP.first_entry(ld => l_session,
msg => l_message);
<< entry_loop >>
WHILE l_entry IS NOT NULL LOOP
-- Get all the attributes for this entry.
DBMS_OUTPUT.PUT_LINE('---------------------------------------');
l_attr_name := DBMS_LDAP.first_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
<< attributes_loop >>
WHILE l_attr_name IS NOT NULL LOOP
-- Get all the values for this attribute.
l_vals := DBMS_LDAP.get_values (ld => l_session,
ldapentry => l_entry,
attr => l_attr_name);
<< values_loop >>
FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
END LOOP values_loop;
l_attr_name := DBMS_LDAP.next_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
END LOOP attibutes_loop;
l_entry := DBMS_LDAP.next_entry(ld => l_session,
msg => l_entry);
END LOOP entry_loop;
END IF;
-- Disconnect from the LDAP server.
l_retval := DBMS_LDAP.unbind_s(ld => l_session);
DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
END;
/
NOTE: The DN parameter on line 29 requires exact unique name for the user. In addition, on line 37 to filter, you can use username i.e. "cn = firstname.lastname."
You can specify a specific attribute must be extracted from the user in order by changing line 33 of the:
l_attrs(1) := '*';
TO
l_attrs(1) := 'title';
Then you can write a function based on above the code to extract the attribute LDAP user as follows:
create or replace function fnc_get_ldap_user_attr_val ( p_username in varchar2
, p_password in varchar2
, p_attrname in varchar2 )
return varchar2
as
-- Adjust as necessary.
l_ldap_host VARCHAR2(256) := 'hct.org';
l_ldap_port VARCHAR2(256) := '389';
l_ldap_user VARCHAR2(256) := 'cn='||p_username;
l_ldap_passwd VARCHAR2(256) := p_password;
l_ldap_base VARCHAR2(256) := 'DC=hct,DC=org';
l_retval PLS_INTEGER;
l_session DBMS_LDAP.session;
l_attrs DBMS_LDAP.string_collection;
l_message DBMS_LDAP.message;
l_entry DBMS_LDAP.message;
l_attr_name VARCHAR2(256);
l_attr_value VARCHAR2(256);
l_ber_element DBMS_LDAP.ber_element;
l_vals DBMS_LDAP.string_collection;
BEGIN
-- Choose to raise exceptions.
DBMS_LDAP.USE_EXCEPTION := TRUE;
-- Connect to the LDAP server.
l_session := DBMS_LDAP.init(hostname => l_ldap_host,
portnum => l_ldap_port);
l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_ldap_user||','||l_ldap_base,
passwd => l_ldap_passwd);
-- Get specific attributes
l_attrs(1) := p_attrname;
l_retval := DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => l_ldap_user,
attrs => l_attrs,
attronly => 0,
res => l_message);
IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
-- Get all the entries returned by our search.
l_entry := DBMS_LDAP.first_entry(ld => l_session,
msg => l_message);
<< entry_loop >>
WHILE l_entry IS NOT NULL LOOP
-- Get all the attributes for this entry.
DBMS_OUTPUT.PUT_LINE('---------------------------------------');
l_attr_name := DBMS_LDAP.first_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
<< attributes_loop >>
WHILE l_attr_name IS NOT NULL LOOP
-- Get all the values for this attribute.
l_vals := DBMS_LDAP.get_values (ld => l_session,
ldapentry => l_entry,
attr => l_attr_name);
<< values_loop >>
FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
l_attr_value := l_vals(i);
END LOOP values_loop;
l_attr_name := DBMS_LDAP.next_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
END LOOP attibutes_loop;
l_entry := DBMS_LDAP.next_entry(ld => l_session,
msg => l_entry);
END LOOP entry_loop;
END IF;
-- Disconnect from the LDAP server.
l_retval := DBMS_LDAP.unbind_s(ld => l_session);
DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
DBMS_OUTPUT.PUT_LINE('Attribute value: ' || l_attr_value);
return l_attr_value;
END fnc_get_ldap_user_attr_val;
/
Then create an Application AI_USER_AD_TITLE tell you item request-> shared components.
Create following procedure to define the point of application on the connection of the user in your APEX application:
create or replace procedure ldap_post_auth
as
l_attr_value varchar2(512):
begin
l_attr_value := fnc_get_ldap_user_attr_val ( p_username => apex_util.get_session_state('P101_USERNAME')
, p_password => apex_util.get_session_state('P101_PASSWORD')
, p_attrname => 'title' );
apex_util.set_session_state('AI_USER_AD_TITLE', l_attr_value);
end ldap_post_auth;
Change the "name of procedure after authentication' in your 'ldap_post_auth' authentication scheme
Then modify the process in charge on your homepage to your application of PORTALS to:
begin
if :AI_USER_AD_TITLE = 'Student' then
apex_util.redirect_url(p_url=>'f?p=114:1');
else
apex_util.redirect_url(p_url=>'f?p=113:1');
end if;
end;
I hope this helps!
Kind regards
Kiran
Tags: Database
Similar Questions
-
Urgent - Custom authentication and authorization for the application of the ADF
Hi friends,
Custom implementation for authentication and authorization for the application of the ADF
My project to use the OID , authentication and authorization, we will need to support both OAM and DB tables ( according to the preferences of the client during the installation ).
I am new to this and do not have a clue about the same.
Please guide me how to set up both in JDeveloper 11 g + ADF
Thanks in advance.The answers you got up to present every point in the right direction. ADF security see the authentication of WLS, even for business authorization with respect to user roles defined on the WLS server. During the deployment, ADF security defined application roles are mapped to the user enterprise groups
Application developed using Jdeveloper ADF +.
This would use WLS for authentication
Users of authentication - LDAP (OID) - are stored in LDAP
Use the OID authentication provider in WLS
Authorization - OAM or database (authorization details are stored in the DB or OAM tables)
You can't allow users without authentication. If you need create authentication providers additional if they exist for OAM and RDBMS (there is a supplier of existing RDBMA, that you can use to identify users and to assign membership user groups). Then, you set the optional flag so that when authentication fails for additional providers you can always start the application.
When running Admin users - create users from roles to create and assign permission privileges to the role (for pages and workflows)
assign (or remove) the roles to/to leave users.ADF security uses JAAS to permissions that you can change using Enterprise Manager when running. Permissions are granted to the application roles and application roles are granted to business roles that which then has users become members of the. If you want to change the status of user account, then you don't do this the ADF or EM, but use a direct access to the provider of the user (for example, access OID, RDBMS access etc.) There is no unified administration API available that would allow you to do this via WLS (which uses OPSS).
If your question is in the context of the ADF, the documentation, with that you should follow is OPSS and WLS authentication providers.
Frank
-
packages and custom DB for authentication and authorization tables
I would like to build custom for my APEX 4.1 application authentication.
I need only a few basic actions and features.
My idea:
on these tables the tables USER, ROLES, the USER_ROLES and some package of action and pages (create user, grant the role, authenticate, change password, activate/deactivate the account etc...)
Before starting to write this litle "authentication framework", that I would like to ask you if you know existing solutions.
I would use some existing framework, checked the solution and save time :-)
Thanks for some tips...No. I have not found an existing solution. I have developed my own simple solution for authentication and authorization.
I recommend you do the same thing.
-
authentication and authorization
Hello
We currently lack of several Oracle databases in 2 separate servers - with APEX installed in each database. About authentication (authorization) and we have created a pattern 'user' for each of these databases, then one or more tables for requests for authorization under the table "user". In each of these tables in different databases user, we have a single column to store the name of each user Oracle database account, also 2 columns (username and hashed password) and another column to record his Microsoft Active Directory account name for custom authentication. In this way, different applications using the same schema can use a different way to the authentication method.
The problem is that, for different databases, we had to create at least a 'user' table or the schema for each database because there are a lot of other tables that refer to the PERS_PK. Is an elegant solution for implementing a solution of a store for the repository of user? Again, we must not only authentication and authorization, we also have tables in the different schema and different databases that refer to these PERS_PK.
Thank you.
AndyHello Andy,
That is right. As previously mentioned, a FK works only with objects that are located in the same database instance.
Regarding option 2, bi-directional updates are usually difficult to manage. If you can't make it master / slave somehow, you better use the first option.-Udo
-
Firepower does not work when using the Active Directory group as a rule filter access control
I am PoV of Cisco ASA with the power of fire with my client. I would like to integrate the power of fire to MS Active Directory. Everything seems to work properly.
-Fire power user agent installation to complete successfully. Connection to AD work fine. The newspaper is GREEN.
-J' created a Kingdom in FireSight and you can download users and groups from Active Directory.
-J' created a politics of identity with passive authentication (using the field I created)
-Can I use the AD account "user" as a filter in access control rule and it work very well.
However, if I create the rule of access control with AD Group', the rule never get match. I'm sure that the user that I test is a member of the group. Connection event show the system to ignore this rule and the traffic is blocked by the default action below. It doesn't look like the firepower doesn't know that the user belongs to the group.
I use
-User agent firepower for Active Directory v2.3 build 10.
-ASA 5515 software Version 9.5 (2)
-Fire version 6.0.0 - 1005 power module
-Firepower for VMWare Management Center
Any suggestion would be appreciated. Thanks in advance.
Hello
You should check the download user under domain option. Download the users once belonging to a group is specified on the ad and then test the connection.
Thank you
Yogesh
-
Administrator rights to the ACS using Active Directory groups
Good afternoon
We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible. If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?
Thanks in advance
You can only use the locally stored accounts within the ACS.
-
Portal administrators from Active Directory groups
I want to add additional users with the status of "admin", so that more people can use the "Admin Console". I want to do this using Active Directory groups.
Can anyone say if this is possible and how?
Maybe it's in the documentation, but I couldn't find it.
For now, it is not possible to assign the Admin role to a group of users. However, you can promote individual users to the Administrator role. You can search for a user name and click on the user name to view the details of a user. On the left side, you will see a role (s) and the 'User' text is clickable. When you click on that text you will be able to change the role.
-
Active Directory groups can be put into service in the FDMEE places?
Hi experts FeeDMEE:
We are upgrading to HFM/FDMEE 11.1.2.4. We would like to use only the Active Directory groups for our security in Shared Services.
I did a lot of audit looking at whether we can use security location FDMEE ad groups. So far, the only way I found to make the security location uses the native approach (settings / security settings / security location...) Security by location, click on keep usergroup to set up groups). But it doesn't seem to be an option if you create groups such as native or ad groups (FDMEE them creates only natively).
Does anyone know if it is possible in FDMEE to use security of the location ad groups?
Thank you
Mark SmithI discovered that it is more possible for FDMEE create Aboriginal groups for the security of the location.
However, Active Directory groups can be added as members of indigenous groups. In this way, users should only be added to Active Directory groups. The only maintenance is to add or remove groups active directory to or from the indigenous groups of FDMEE.
-
P2V checklist for Active Directory
Hi people,
Someone played p2v for Active Directory (directiry active 2 nodes)? You have a list of items to check after P2V node AD?
Jaikrit Negi
(VCP, NCDA, BCCFP, ASFS)
If you find this answer useful please consider giving points by checking the correct or helpful answer.
Best solution is to not not P2V for the use of a domain controller, but use dcpromo on a virtual computer to build a new domain controller and use on the old dcpromo to demote.
In any case if you really want to do a P2V just be sure this tip:
ALWAYS use a cold converter (using the enterprise Converter CD live)
Make sure that the zero of the FSMO role are on the domain controller that you are to P2V (during the conversion you can move them again)
don't forget that the replication is fine before and after (use replmon)
If possible, during P2V do no AD on another DC change
When you DC are converted into virtual NEVER power on the old (connected to the network)
André
* If you found this device or any other answer useful please consider awarding points for correct or helpful answers
-
I have two running Windows Storage Server 2003 storage servers in a domain R2 Windows Server 2008 Standard. On top of the Active Directory authentication, I want to add authentication of MAC address for the access to one of the storage servers. In this scenario, an authenticated user is unable to log on to the target storage server unless the user is also on one of the computers MAC address accepted. All domain users will have access to other folders and files as configuration storage server in Active Directory. I already have a user access to installation by the permissions for folders on the storage server target, but I still want to restrict access to specific computers as well. For what it's worth the server hardware is HP Proliant DL360 G5 for the Standard Server 2008 R2 and server HP Proliant DL185 G5 for two Storage Server 2003 computers. I don't want to have MAC address authentication as the main means of access control to the network, only for the storage server a as an addition to control Active Directory.
Hi Kerry,
The question you posted would be better suited in the TechNet Server Forums since we have dedicated to this support; We recommend that you post your question in the TechNet Forums to get help:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer
Keep us informed on the status of the issue.
-
6.0 ESXi host Active Directory Group authentication works in the hull but no client
Got a weird here.
Add 6.0 host vSphere to Active Directory.
Added a group of pub with the Administrator role.
I can authenticate with an AD user account that is a member of this group of ads, using SSH or Shell access.
I cannot authenticate with an account AD who is a member of this group of ads using the Web UI or Client vSphere linking directly to the host.
If I add the domain user directly with the role of administrator on the host computer permissions, the Web GUI and vSphere Client will be authenticate using the user of the AD.
What it looks like access using SSH/Shell, vSphere host can burst of belonging to a group and to authenticate, but using the GUI Web or vSphere Client he can't. There are not a lot of sense to me.
The hostd.log file has nothing in it which is very informative, just a line saying "status: success accepted password for the user", followed by the event 131: could not connect the user without permission.
Hello
If you are in 6.0 Update 2? Then, this article could describe your problem:
https://KB.VMware.com/kb/2145400
Please try the fix and let us know if it helps.
-Andreas
-
Where can I find and download the Active Directory users and computers for Windows 7
Where can I find and download Active Directory users and computers for Windows 7
Thank you
Fred Tarpley
Announcement is not a consumer product. You'll be much more likely to get an answer as to where you can buy it on TechNet (for IT Pro)
This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)
If you give us a link to the new thread we can point to some resources it -
Principal name for Active Directory "domain users".
Hello
I integrated successufully Weblogic & Active Directory Kerberos (SINGLE sign-on). I tested a web application and successifully logined with authentication.
The system automatically recognizes my Active Directory user name. It worked.
For authentication in my weblogic.xml I used
< security-role-assignment >
Admin > role name < < / role name >
Kursat < SPN > < / main-name >
< SPN > Fenerbahçe < / main-name >
< / security role assignment >
Now I am trying to allow all domain members authenticate my request. For my application, I need only the usernames of the directory an actress for them.
To do this, I removed "Chris", "fenerbahce" of my weblogic.xml
Kursat < SPN > < / main-name >
< SPN > Fenerbahçe < / main-name >
I added
users in domain < SPN > - < / main-name >
rather than write all users in the domain.
However, I could not authenticate. I got the "Error 403 - Forbidden".
Y does it can someone help me?test by creating a domain users groups and use it as your primary name in your weblogic.xml
-Faisal
http://www.WebLogic-wonders.com -
Strategy of Kerberos WinServer2008r2 Active Directory group
Hi all
Need help bad in this. I'm trying to implement kerberos on my active directory. What I understand is kerberos is the default and the primary authentication protocol used when connected to a domain, but where and how do I configure kerberos settings in group policy? I managed to find configurations of kerberos in the "Local Group Policy Editor", but this would not push configurations to my clients right?
I want to disable NTLM authentication as well and once again I can found under local policies > security options, but they are all local policies right? Is it possible that I can disable NTLM on my active directory and ensure that these settings are applied to my both client computers?
Thank you so much in advance!
PS: Sorry if I got some of my facts wrong, I'm a student performs internship and my understanding in active directory is not as strong.Server forums are more on the side the web site of Microsoft TechNet,
This is where you find people who know. -
order of the authentication and authorization air ISE
Hello
I am looking to configure ISE to authenticate joined AD PC (Anyconnect NAM help for user authentication and the machine with the EAP chaining) and profile Cisco IP phones. The Pc and phones connect on the same switchport. The switchport configuration was:
switchport
switchport access vlan 102
switchport mode access
switchport voice vlan 101
authentication event fail following action method
multi-domain of host-mode authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
MAB
added mac-SNMP trap notification change
deleted mac-SNMP trap notification change
dot1x EAP authenticatorThe configuration above worked well with authentication sessions 'show' of the switch showing dot1x as the method to the field of DATA and mab for VOICE. I decided to reverse the order of authentication/priority on the interface of the switch so that the phone would be authenticated first by mab. As a result, the authentication sessions 'show' of the switch showing mab as a method for both VOICE and DATA.
To avoid this I created a permission policy on ISE to respond with an "Access-Reject" when the "UseCase = Lookup host" and the endpoint identity group was unknown (the group that contains the PC AD). This worked well worked - the switch would attempt to authenticate the PC and phone with mab. When an "Access-Reject" has been received for the PC, the switch would pass to the next method and the PC would be authenticated using dot1x.
The only problem with this is that newspapers soon filled ISE with denys caused by the authorization policy - is possible to realize the scenario above without affecting the newspapers?
Thank you
AndyHi Andy -.
Have you tried to have the config in the following way:
authentication order mab dot1x authentication priority dot1x mab
This "order" will tell the switchport always start with mab , but the keyword 'priority' will allow the switchport to accept the authentications of dot1x to dot1x devices.
For more information see this link:
Thank you for evaluating useful messages!
Maybe you are looking for
-
I use Ditto (Clipboard Manager). Sometimes, when I'm looking I type a few words in the address bar and then add a commonly used Word or phrase with Ditto. THE PROBLEMSince I've upgraded to Firefox 32.0 today, whenever I'm sticking Ditto it replaces w
-
OK, I ask once again. In the address bar, when I hit the pull down arrow to display the list of the sites that I visit frequently, usually, I click on the place where I want to go... to tell espn.com, lately, when I click on espn.com or one of the ot
-
Need drivers of Windows XP Home for Satellite M100-JGS
I just put in money to get the screen of my laptop fixed and now I can not find the drivers for it. I formatted the computer and am currently using windows XP (I'm not a fan of change..) and I need your help. Apparently, the computer is a Canadian se
-
Missed calls notification calls back calling
Sorry if this has already been brought to the top. Is it me or when you try to dismiss the single line, missed call notification message automatically call back the person? It's super annoying. What happens if I don't want to call this person? Put me
-
Hello one of the disks in our Dell PS6000 told us that it is a failure. To reduce the risk, we want to replace it. The disk used current (Seagate ST31000340NS) are EOL What kind of discs that we could use, because we think this drives needs a special