Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: ldap authentication

Re: ldap authentication

From: Jason Heinrich <jheinrich_at_pcci.edu>
Date: Fri, 26 Aug 2005 11:01:22 -0500
Message-ID: <BF34A702.9C43%jheinrich@pcci.edu>


Here it is. Obviously some customization will be necessary for your directory's structure.

CREATE OR REPLACE PROCEDURE LDAP_AUTHENTICATE  (i_username IN VARCHAR2, i_password IN VARCHAR2) RETURN BOOLEAN AS

  c_Directory   CONSTANT VARCHAR2(50) := <address of directory>;
  c_Port        CONSTANT NUMBER(4) := 389;
  c_BaseDN      CONSTANT VARCHAR2(200) := <base DN (where to start
looking)>;
  c_InitUser CONSTANT VARCHAR2(200) := <DN of lookup user>;   c_InitPass CONSTANT VARCHAR2(32) := <password of lookup user>;   
  v_session     DBMS_LDAP.SESSION;
  v_success     PLS_INTEGER;
  v_attributes  DBMS_LDAP.STRING_COLLECTION;
  v_result      DBMS_LDAP.MESSAGE;
  v_userdn      VARCHAR2(2000);
  

BEGIN
  --Open initial lookup session.
  v_session := DBMS_LDAP.INIT(c_Directory,c_Port);   v_success := DBMS_LDAP.SIMPLE_BIND_S(v_session, c_InitUser, c_InitPass);   IF v_success = DBMS_LDAP.SUCCESS THEN
    --Retrieve user's DN. I look in both sAMAccountName and mailNickname for a match to the username.

    v_attributes(1) := NULL;
    v_success := DBMS_LDAP.SEARCH_S(ld => v_session,

                                   base => c_BaseDN,
                                   scope => dbms_ldap.scope_subtree,
                                   filter => '(|(sAMAccountName=' ||
i_Username || ')(mailNickname=' || i_Username || '))',
                                   attrs => v_attributes,
                                   attronly => 0,
                                   res => v_result);
    IF v_success = DBMS_LDAP.SUCCESS THEN
      --Get the first DN that was returned.
      v_userdn := 
dbms_ldap.get_dn(v_session,dbms_ldap.first_entry(v_session,v_result));
      IF v_userdn IS NOT NULL THEN
        --We have their dn, so we can now try to authenticate them.
        v_success := dbms_ldap.unbind_s(v_session);
        v_session := dbms_ldap.init(c_Directory,c_Port);
        v_success := dbms_ldap.simple_bind_s(v_session, v_userdn,
i_password);
      END IF;

    END IF;
  END IF;      IF v_success = DBMS_LDAP.SUCCESS THEN
    RETURN TRUE;
  ELSE
    RETURN FALSE;
  END IF;    EXCEPTION
  WHEN OTHERS THEN
    RETURN FALSE;
END;

Jason Heinrich
Oracle Database Administrator
Pensacola Christian College
(850) 478-8496 x2509
jheinrich_at_pcci.edu

> From: "Goulet, Dick" <DGoulet_at_vicr.com>
> Date: Fri, 26 Aug 2005 11:19:56 -0400
> To: <jheinrich_at_pcci.edu>, <stellr_at_cns.vt.edu>, oracle-l
> <oracle-l_at_freelists.org>
> Subject: RE: ldap authentication
>
> Jason,
>
> Would you care to share that proof of concept code???
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Jason Heinrich
> Sent: Friday, August 26, 2005 11:16 AM
> To: stellr_at_cns.vt.edu; oracle-l
> Subject: Re: ldap authentication
>
> The article in question is talking about logging into an application
> (especially an HTMLDB application), not logging into the database. The
> assumption is that the application is already connected/authenticated
> with
> the database. The only software requirement for the LDAP authentication
> then is an Oracle database with the DBMS_LDAP package, which comes with
> Standard edition.
>
> I did something like this last month as a proof-of-concept for
> authenticating against our Active Directory. Basically it involves
> connecting to AD as a read-only lookup user, retrieving the user's DN,
> then
> attempting to reconnect to AD as that DN with the user-supplied
> password.
> If the second connection worked, we return TRUE that they're
> authenticated.
>
> ---------------
> Jason Heinrich
> Oracle Database Administrator
> Pensacola Christian College
> (850) 478-8496 x2509
> jheinrich_at_pcci.edu

--
http://www.freelists.org/webpage/oracle-l
Received on Fri Aug 26 2005 - 11:03:59 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US