Re: ldap authentication
- From: Jason Heinrich <jheinrich@xxxxxxxx>
- To: "Goulet, Dick" <DGoulet@xxxxxxxx>, oracle-l <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 26 Aug 2005 11:01:22 -0500
Here it is. Obviously some customization will be necessary for your
directory's structure.
CREATE OR REPLACE PROCEDURE LDAP_AUTHENTICATE
(i_username IN VARCHAR2, i_password IN VARCHAR2) RETURN BOOLEAN
AS
c_Directory CONSTANT VARCHAR2(50) := <address of directory>;
c_Port CONSTANT NUMBER(4) := 389;
c_BaseDN CONSTANT VARCHAR2(200) := <base DN (where to start
looking)>;
c_InitUser CONSTANT VARCHAR2(200) := <DN of lookup user>;
c_InitPass CONSTANT VARCHAR2(32) := <password of lookup user>;
v_session DBMS_LDAP.SESSION;
v_success PLS_INTEGER;
v_attributes DBMS_LDAP.STRING_COLLECTION;
v_result DBMS_LDAP.MESSAGE;
v_userdn VARCHAR2(2000);
BEGIN
--Open initial lookup session.
v_session := DBMS_LDAP.INIT(c_Directory,c_Port);
v_success := DBMS_LDAP.SIMPLE_BIND_S(v_session, c_InitUser, c_InitPass);
IF v_success = DBMS_LDAP.SUCCESS THEN
--Retrieve user's DN. I look in both sAMAccountName and mailNickname
for a match to the username.
v_attributes(1) := NULL;
v_success := DBMS_LDAP.SEARCH_S(ld => v_session,
base => c_BaseDN,
scope => dbms_ldap.scope_subtree,
filter => '(|(sAMAccountName=' ||
i_Username || ')(mailNickname=' || i_Username || '))',
attrs => v_attributes,
attronly => 0,
res => v_result);
IF v_success = DBMS_LDAP.SUCCESS THEN
--Get the first DN that was returned.
v_userdn :=
dbms_ldap.get_dn(v_session,dbms_ldap.first_entry(v_session,v_result));
IF v_userdn IS NOT NULL THEN
--We have their dn, so we can now try to authenticate them.
v_success := dbms_ldap.unbind_s(v_session);
v_session := dbms_ldap.init(c_Directory,c_Port);
v_success := dbms_ldap.simple_bind_s(v_session, v_userdn,
i_password);
END IF;
END IF;
END IF;
IF v_success = DBMS_LDAP.SUCCESS THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
EXCEPTION
WHEN OTHERS THEN
RETURN FALSE;
END;
---------------
Jason Heinrich
Oracle Database Administrator
Pensacola Christian College
(850) 478-8496 x2509
jheinrich@xxxxxxxx
> From: "Goulet, Dick" <DGoulet@xxxxxxxx>
> Date: Fri, 26 Aug 2005 11:19:56 -0400
> To: <jheinrich@xxxxxxxx>, <stellr@xxxxxxxxxx>, oracle-l
> <oracle-l@xxxxxxxxxxxxx>
> Subject: RE: ldap authentication
>
> Jason,
>
> Would you care to share that proof of concept code???
>
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Heinrich
> Sent: Friday, August 26, 2005 11:16 AM
> To: stellr@xxxxxxxxxx; oracle-l
> Subject: Re: ldap authentication
>
> The article in question is talking about logging into an application
> (especially an HTMLDB application), not logging into the database. The
> assumption is that the application is already connected/authenticated
> with
> the database. The only software requirement for the LDAP authentication
> then is an Oracle database with the DBMS_LDAP package, which comes with
> Standard edition.
>
> I did something like this last month as a proof-of-concept for
> authenticating against our Active Directory. Basically it involves
> connecting to AD as a read-only lookup user, retrieving the user's DN,
> then
> attempting to reconnect to AD as that DN with the user-supplied
> password.
> If the second connection worked, we return TRUE that they're
> authenticated.
>
> ---------------
> Jason Heinrich
> Oracle Database Administrator
> Pensacola Christian College
> (850) 478-8496 x2509
> jheinrich@xxxxxxxx
--
http://www.freelists.org/webpage/oracle-l
- References:
- RE: ldap authentication
- From: Goulet, Dick
Other related posts:
- » ldap authentication
- » Re: ldap authentication
- » Re: ldap authentication
- » RE: ldap authentication
- » Re: ldap authentication
- » RE: ldap authentication
- RE: ldap authentication
- From: Goulet, Dick