Jason, Thanks. This IS going to be VERY helpful. -----Original Message----- From: Jason Heinrich [mailto:jheinrich@xxxxxxxx] Sent: Friday, August 26, 2005 12:01 PM To: Goulet, Dick; oracle-l Subject: Re: ldap authentication Here it is. Obviously some customization will be necessary for your directory's structure. CREATE OR REPLACE PROCEDURE LDAP_AUTHENTICATE (i_username IN VARCHAR2, i_password IN VARCHAR2) RETURN BOOLEAN AS c_Directory CONSTANT VARCHAR2(50) := <address of directory>; c_Port CONSTANT NUMBER(4) := 389; c_BaseDN CONSTANT VARCHAR2(200) := <base DN (where to start looking)>; c_InitUser CONSTANT VARCHAR2(200) := <DN of lookup user>; c_InitPass CONSTANT VARCHAR2(32) := <password of lookup user>; v_session DBMS_LDAP.SESSION; v_success PLS_INTEGER; v_attributes DBMS_LDAP.STRING_COLLECTION; v_result DBMS_LDAP.MESSAGE; v_userdn VARCHAR2(2000); BEGIN --Open initial lookup session. v_session := DBMS_LDAP.INIT(c_Directory,c_Port); v_success := DBMS_LDAP.SIMPLE_BIND_S(v_session, c_InitUser, c_InitPass); IF v_success = DBMS_LDAP.SUCCESS THEN --Retrieve user's DN. I look in both sAMAccountName and mailNickname for a match to the username. v_attributes(1) := NULL; v_success := DBMS_LDAP.SEARCH_S(ld => v_session, base => c_BaseDN, scope => dbms_ldap.scope_subtree, filter => '(|(sAMAccountName=' || i_Username || ')(mailNickname=' || i_Username || '))', attrs => v_attributes, attronly => 0, res => v_result); IF v_success = DBMS_LDAP.SUCCESS THEN --Get the first DN that was returned. v_userdn := dbms_ldap.get_dn(v_session,dbms_ldap.first_entry(v_session,v_result)); IF v_userdn IS NOT NULL THEN --We have their dn, so we can now try to authenticate them. v_success := dbms_ldap.unbind_s(v_session); v_session := dbms_ldap.init(c_Directory,c_Port); v_success := dbms_ldap.simple_bind_s(v_session, v_userdn, i_password); END IF; END IF; END IF; IF v_success = DBMS_LDAP.SUCCESS THEN RETURN TRUE; ELSE RETURN FALSE; END IF; EXCEPTION WHEN OTHERS THEN RETURN FALSE; END; --------------- Jason Heinrich Oracle Database Administrator Pensacola Christian College (850) 478-8496 x2509 jheinrich@xxxxxxxx > From: "Goulet, Dick" <DGoulet@xxxxxxxx> > Date: Fri, 26 Aug 2005 11:19:56 -0400 > To: <jheinrich@xxxxxxxx>, <stellr@xxxxxxxxxx>, oracle-l > <oracle-l@xxxxxxxxxxxxx> > Subject: RE: ldap authentication > > Jason, > > Would you care to share that proof of concept code??? > > -----Original Message----- > From: oracle-l-bounce@xxxxxxxxxxxxx > [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Heinrich > Sent: Friday, August 26, 2005 11:16 AM > To: stellr@xxxxxxxxxx; oracle-l > Subject: Re: ldap authentication > > The article in question is talking about logging into an application > (especially an HTMLDB application), not logging into the database. The > assumption is that the application is already connected/authenticated > with > the database. The only software requirement for the LDAP authentication > then is an Oracle database with the DBMS_LDAP package, which comes with > Standard edition. > > I did something like this last month as a proof-of-concept for > authenticating against our Active Directory. Basically it involves > connecting to AD as a read-only lookup user, retrieving the user's DN, > then > attempting to reconnect to AD as that DN with the user-supplied > password. > If the second connection worked, we return TRUE that they're > authenticated. > > --------------- > Jason Heinrich > Oracle Database Administrator > Pensacola Christian College > (850) 478-8496 x2509 > jheinrich@xxxxxxxx -- //www.freelists.org/webpage/oracle-l