Wednesday 25 September 2013

Using LDAP to authenticate your APEX users

It can be fairly simple to configure your APEX application to authenticate against your Active Directory server - this means your users can use the same username/password as the use to log onto their desktop machine - a big plus.

Declarative definition can be as simple as heading to Shared Components -> Authentication scheme and selecting 'LDAP Directory' from the scheme gallery.

Settings might be as simple as:
Host : myserver
Port : 389
DN String : MYDOMAIN\%LDAP_USER%

Further examples of the distinguished name string are shown in the item help.

LDAP Authentication definition
I've also seen an interesting use case in a popular APEX book. Here they also enabled authorisation definition (roles based on LDAP groups) - and they did it efficiently with some PL/SQL & materialized views.

There are a number of other examples in the #orclapex blogosphere on this:
http://ruepprich.wordpress.com/2012/11/02/ldap-authentication-with-apex/
http://doloracle.blogspot.com.au/2011/10/how-to-apex-ldap-authentication-for.html
and plenty of support in the OTN forum.

If you're keen to get your hands a little dirtier, there is also a supporting package APEX_LDAP.

Scott

3 comments:

Anonymous said...

There is nothing straightforward about getting this working in my opinion. I have to wrestle with DBAs to set up ACLs, and if you are using a global catalogue to search which doesnt accept anonymous querying of active directory, you need a service account. I still havent got this working and have been trying to get this working on and off for a few years! It is also never clear when creating ACLs if they should be created for the APOEX_0500 schema, or the parsing schema of your application. I would love an end to end real life walk through of this which consolidates all the issues in one place.

Scott Wesley said...

That's a very fair point regarding the ACLs, and there isn't much information on this and I'm always a little unsure myself. I've made a note to flesh this out further.

Antonio said...

It worked for me thank you very much.