Re: How to setup authentication for different user groups using APEX and LDAP

  • From: De DBA <dedba@xxxxxxxxxx>
  • To: Ian.Cary@xxxxxxxxxxxxxx
  • Date: Thu, 14 Jul 2011 22:55:32 +1000

Thanks Ian.

No, we don't use OID but the CentOS Directory Server (version 8.1), which 
appears to be a decendant of the Sun Java Enterprise System/iPlanet Directory 
server.

The one thing that stands out to me (having worked with the Sun/iPlanet product 
for a long time) is that there are no unique attributes. In the Sun product, 
the UID was enforced to be unique (perhaps due to our setup) throughout the 
database, but the Centos product apparently cannot do this. I'm not sure how 
that would work if there are two identical UIDs in different OUs, and the app 
tries to authenticate using the UID (as it does). This is why the developer 
wants to cascade through the different OUs.

Perhaps the CentOS DS can enforce uniqueness, but I simply failed to find the 
howto?

Cheers,
Tony

On 14/07/11 22:04, Ian Cary wrote:

You don't say whether you are using OID or not so I'm not sure if this is
applicable but what I do with OID and Apex is allow  the user to
authenticate and then use HTMLDB_LDAP.IS_MEMBER_OF to obtain the group
membership. Once you have that it is straightforward to get the application
to behave differently for different groups.

Cheers,

Ian



|---------+----------------------------->
|         |           dedba@xxxxxxxxxx  |
|         |           Sent by:          |
|         |           oracle-l-bounce@fr|
|         |           eelists.org       |
|         |                             |
|         |                             |
|         |           14/07/2011 12:33  |
|         |           Please respond to |
|         |           dedba             |
|         |                             |
|---------+----------------------------->
   
>--------------------------------------------------------------------------------------------------------------------------------------------------|
   |                                                                            
                                                                      |
   |       To:       oracle-l@xxxxxxxxxxxxx                                     
                                                                      |
   |       cc:                                                                  
                                                                      |
   |       Subject:  How to setup authentication for different user groups 
using APEX and LDAP                                                        |
   |                                                                            
                                                                      |
   |                                                                            
                                                                      |
   
>--------------------------------------------------------------------------------------------------------------------------------------------------|




G'day

The environment is APEX in Oracle 10g (Express initially), and Centos
Directory Server 8.1.

One of our Apex developers is trying to use LDAP to authenticate users to
his application. The complication here is that there are two distinct user
groups. One group is the company staff, whereas the other group can contain
students, customers, staff and selected members of the public. All users
will have records in the same directory server, although not in the same
branch of the directory tree. Group 1 (staff) has "administrator"
privileges, that is access to all parts of the application. Group 2 can
only log in to fill out specially customised forms.

The method proposed to get about this is to attempt to authenticate the
user as a staff member first, then to attempt authentication as a member of
group 2 and fail if not succeed. For this, it is proposed to use two RDNs,
say ou=ourPeople and ou=otherPeople, and do a search/bind with either of
them as the base DN in order.

I am thinking that this is not particularly flexible and perhaps there are
better solutions out there. If, for instance, in the future management
decides that we need a third group, say ou=theOtherMob, then the
authentication code will have to be changed. I have tried to find examples
or "best practices" online, but found nothing. If you have thoughts or have
come across examples on how to set this up, can you please share them?

Cheers,
Tony

--
//www.freelists.org/webpage/oracle-l






For the latest data on the economy and society consult National Statistics at 
http://www.ons.gov.uk

*********************************************************************************


Please Note:  Incoming and outgoing email messages are routinely monitored for 
compliance with our policy on the use of electronic communications
*********************************************************************************


Legal Disclaimer  :  Any views expressed by the sender of this message are not 
necessarily those of the Office for National Statistics
*********************************************************************************


The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless Worldwide in 
partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving 
the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
--
//www.freelists.org/webpage/oracle-l






--
//www.freelists.org/webpage/oracle-l

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 07-2011