RE: ldap authentication

  • From: "Goulet, Dick" <DGoulet@xxxxxxxx>
  • To: "Jason Heinrich" <jheinrich@xxxxxxxx>, "oracle-l" <oracle-l@xxxxxxxxxxxxx>
  • Date: Fri, 26 Aug 2005 12:47:19 -0400

Jason,

        Thanks.  This IS going to be VERY helpful. 

-----Original Message-----
From: Jason Heinrich [mailto:jheinrich@xxxxxxxx] 
Sent: Friday, August 26, 2005 12:01 PM
To: Goulet, Dick; oracle-l
Subject: Re: ldap authentication

Here it is.  Obviously some customization will be necessary for your
directory's structure.

CREATE OR REPLACE PROCEDURE LDAP_AUTHENTICATE
 (i_username IN VARCHAR2, i_password IN VARCHAR2) RETURN BOOLEAN
AS
  c_Directory   CONSTANT VARCHAR2(50) := <address of directory>;
  c_Port        CONSTANT NUMBER(4) := 389;
  c_BaseDN      CONSTANT VARCHAR2(200) := <base DN (where to start
looking)>;
  c_InitUser    CONSTANT VARCHAR2(200) := <DN of lookup user>;
  c_InitPass    CONSTANT VARCHAR2(32) := <password of lookup user>;
  
  v_session     DBMS_LDAP.SESSION;
  v_success     PLS_INTEGER;
  v_attributes  DBMS_LDAP.STRING_COLLECTION;
  v_result      DBMS_LDAP.MESSAGE;
  v_userdn      VARCHAR2(2000);
  
BEGIN
  --Open initial lookup session.
  v_session := DBMS_LDAP.INIT(c_Directory,c_Port);
  v_success := DBMS_LDAP.SIMPLE_BIND_S(v_session, c_InitUser,
c_InitPass);
  IF v_success = DBMS_LDAP.SUCCESS THEN
    --Retrieve user's DN.  I look in both sAMAccountName and
mailNickname
for a match to the username.
    v_attributes(1) := NULL;
    v_success := DBMS_LDAP.SEARCH_S(ld => v_session,
                                   base => c_BaseDN,
                                   scope => dbms_ldap.scope_subtree,
                                   filter => '(|(sAMAccountName=' ||
i_Username || ')(mailNickname=' || i_Username || '))',
                                   attrs => v_attributes,
                                   attronly => 0,
                                   res => v_result);
    IF v_success = DBMS_LDAP.SUCCESS THEN
      --Get the first DN that was returned.
      v_userdn := 
dbms_ldap.get_dn(v_session,dbms_ldap.first_entry(v_session,v_result));
      IF v_userdn IS NOT NULL THEN
        --We have their dn, so we can now try to authenticate them.
        v_success := dbms_ldap.unbind_s(v_session);
        v_session := dbms_ldap.init(c_Directory,c_Port);
        v_success := dbms_ldap.simple_bind_s(v_session, v_userdn,
i_password);
      END IF;
    END IF;
  END IF;
  
  IF v_success = DBMS_LDAP.SUCCESS THEN
    RETURN TRUE;
  ELSE
    RETURN FALSE;
  END IF;
  
EXCEPTION
  WHEN OTHERS THEN
    RETURN FALSE;
END;

---------------
Jason Heinrich
Oracle Database Administrator
Pensacola Christian College
(850) 478-8496 x2509
jheinrich@xxxxxxxx


> From: "Goulet, Dick" <DGoulet@xxxxxxxx>
> Date: Fri, 26 Aug 2005 11:19:56 -0400
> To: <jheinrich@xxxxxxxx>, <stellr@xxxxxxxxxx>, oracle-l
> <oracle-l@xxxxxxxxxxxxx>
> Subject: RE: ldap authentication
> 
> Jason,
> 
> Would you care to share that proof of concept code???
> 
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Heinrich
> Sent: Friday, August 26, 2005 11:16 AM
> To: stellr@xxxxxxxxxx; oracle-l
> Subject: Re: ldap authentication
> 
> The article in question is talking about logging into an application
> (especially an HTMLDB application), not logging into the database.
The
> assumption is that the application is already connected/authenticated
> with
> the database.  The only software requirement for the LDAP
authentication
> then is an Oracle database with the DBMS_LDAP package, which comes
with
> Standard edition.
> 
> I did something like this last month as a proof-of-concept for
> authenticating against our Active Directory.  Basically it involves
> connecting to AD as a read-only lookup user, retrieving the user's DN,
> then
> attempting to reconnect to AD as that DN with the user-supplied
> password.
> If the second connection worked, we return TRUE that they're
> authenticated.
> 
> ---------------
> Jason Heinrich
> Oracle Database Administrator
> Pensacola Christian College
> (850) 478-8496 x2509
> jheinrich@xxxxxxxx

--
//www.freelists.org/webpage/oracle-l

Other related posts: