| dbms_ldap.simple_bind_s doesn't work with PW containing "!" [message #646064] |
Fri, 18 December 2015 12:20  |
Duane
Messages: 585
Registered: December 2002
|
Senior Member |
|
|
Has anyone encountered a problem using dbms_ldap.simple_bind_s and a Password contains a "!"?
If I call this function with a Password of "OneTime#" then I'm able to authenticate against our Domain Controller. Calling the same function with a Password of "OneTime!" fails every time with "ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580".
Does something special need to be done when the Password contains a "!"? Escape it somehow?
procedure Authenticate (SSOID in varchar2 default null,
Password in varchar2 default null) is
ReturnValue pls_integer default -1;
LDAPPort number default 3268;
LDAPHost varchar2(20) default 'ldap.xxxx.edu';
LDAPSession dbms_ldap.session;
dbms_ldap.use_exception := true;
LDAPSession := dbms_ldap.init(LDAPHost, LDAPPort);
ReturnValue := dbms_ldap.simple_bind_s(LDAPSession, SSOID, Password);
exception
when others
then
null;
end;
[Updated on: Fri, 18 December 2015 12:22] Report message to a moderator |
|
|
|
| Re: dbms_ldap.simple_bind_s doesn't work with PW containing "!" [message #646065 is a reply to message #646064] |
Fri, 18 December 2015 13:55  |
 |
EdStevens
Messages: 1377
Registered: September 2013
|
Senior Member |
|
|
Duane wrote on Fri, 18 December 2015 12:20Has anyone encountered a problem using dbms_ldap.simple_bind_s and a Password contains a "!"?
If I call this function with a Password of "OneTime#" then I'm able to authenticate against our Domain Controller. Calling the same function with a Password of "OneTime!" fails every time with "ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials.
The first thing that comes to mind is .. gee it worked with password = "OneTime#", so that must be the password so of course some other password will have a credential failure ...
But I'll presume for the moment that there is something you left out that covers that.
That said, I'll admit that I've never dealt with ldap authentication, but one other thought does occur. There are cases in which passwords get passed through an environment that is is looking for certain special characters for special interpretation and if the password contains that special character, things can go south in a hurry. For instance, when sqlplus is parsing a command line looking for the connect string which is denoted by a "@" (as in 'sqlplus myuser/mypwd@orcl'), if the password is also included and the password contains an "@", it causes the parser to short the password and try to make the rest of it the connect string. I've also known Oracle Forms to choke on a password that contained a "#", though was never able to run to ground exactly why. Could it be that in your case the password is getting passed through a routine that is looking for "!" and giving it special meaning?
|
|
|
|
| Re: dbms_ldap.simple_bind_s doesn't work with PW containing "!" [message #646066 is a reply to message #646065] |
Fri, 18 December 2015 14:14 |
Duane
Messages: 585
Registered: December 2002
|
Senior Member |
|
|
That wasn't very clear.
What I meant was if a Password was "OneTime#" then the call worked. If someone has a Password with "!", such as, "OneTime!" then the call fails. I was trying to point out that a Password with a "#" works and a Password with a "!" fails.
The only thing I'm doing is passing the parameters to the function. Nothing else.
Like this:
User enters SSOID = Oracle Password = OneTime!
procedure Authenticate (SSOID in Oracle,
Password in OneTime!)
.
.
ReturnValue := dbms_ldap.simple_bind_s(LDAPSession, Oracle, OneTime!);
The "simple_bind_s" function is receiving exactly what the user entered. I have trapped the values in the procedure and they are the same. It would appear the "simple_bind_s" is doing something with the "!" when it makes the call so when the "!" gets to the Domain Controller then the Password doesn't match.
[Updated on: Fri, 18 December 2015 14:15] Report message to a moderator |
|
|
|
|
|
| Re: dbms_ldap.simple_bind_s doesn't work with PW containing "!" [message #646083 is a reply to message #646082] |
Sat, 19 December 2015 04:30 |
John Watson
Messages: 8989
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Sorry, I misread your code. Need to open my eyes.
You code makes no sense at all. This,procedure Authenticate (SSOID in Oracle,
Password in OneTime!)
is declaring parameters with datatypes that do not exist, and this,ReturnValue := dbms_ldap.simple_bind_s(LDAPSession, Oracle, OneTime!);
What is your actual code? Does it compile?
[Updated on: Sat, 19 December 2015 04:33] Report message to a moderator |
|
|
|
| Re: dbms_ldap.simple_bind_s doesn't work with PW containing "!" [message #646114 is a reply to message #646083] |
Sat, 19 December 2015 14:33 |
Duane
Messages: 585
Registered: December 2002
|
Senior Member |
|
|
It seems I'm confusing you. What I was attempting to do, and badly at that, was to show the user's values in the passed parameters and the call using those values.
My code:
procedure Authenticate (SSOID in varchar2 default null,
Password in varchar2 default null) is
ReturnValue pls_integer default -1;
LDAPPort number default 3268;
LDAPHost varchar2(20) default 'ldap.xxxx.edu';
LDAPSession dbms_ldap.session;
dbms_ldap.use_exception := true;
LDAPSession := dbms_ldap.init(LDAPHost, LDAPPort);
ReturnValue := dbms_ldap.simple_bind_s(LDAPSession, SSOID, Password);
exception
when others
then
null;
end;
If the user has an SSOID/Password of Oracle/OneTime! then SSOID would equal Oracle and Password would equal OneTime! Using my code from above I was trying to show what the procedure would look like with those values and the LDAP call with those values.
Here's what I should have shown but I wanted to show SSOID = Oracle and Password = OneTime! so that's why I left the parameter names as is.
procedure Authenticate (Oracle,
OneTime!)
This was just to show that I wasn't doing anything to the values and that a Password containing a "#" would work but a password with a "!" would fail. The LDAP call was just using whatever values were passed in.
Hopefully, that cleared that up.
[Updated on: Sat, 19 December 2015 14:37] Report message to a moderator |
|
|
|
| Re: dbms_ldap.simple_bind_s doesn't work with PW containing "!" [message #646118 is a reply to message #646114] |
Sun, 20 December 2015 03:07 |
John Watson
Messages: 8989
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
When you say this,Quote:procedure Authenticate (Oracle,
OneTime!) do you actually mean this,Quote:procedure Authenticate ('Oracle',
'OneTime!') ?
If so, the obvious question is what "what is the password?" However, assuming that the password really does have an exclamation point, that is a legal character. But if you look at RFC 2254, you'll see that it does have a meaning as a search filter, so probably better to avoid it.
[Updated on: Sun, 20 December 2015 04:51] Report message to a moderator |
|
|
|
| Re: dbms_ldap.simple_bind_s doesn't work with PW containing "!" [message #646156 is a reply to message #646118] |
Sun, 20 December 2015 13:42 |
Duane
Messages: 585
Registered: December 2002
|
Senior Member |
|
|
Probably if that's how Oracle sees the input value. All I know is what those values contain when the procedure is called. Meaning, if SSOID = X and Password = Y does Oracle see the values as procedure Authenticate (Oracle, OneTime!) or procedure Authenticate ('Oracle', 'OneTime!'). Not sure how Oracle sees the values but I know that I'm getting whatever is being typed in.
I was hoping to not tell students that they can't have a password that contains an exclamation point. I also was hoping someone had this same problem and would be able to tell me to do this or do that to work around this issue. Just seems odd that a password can't contain an exclamation point.
Thanks.
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
