Skip navigation.
Home
orawin.info
Home » Blog

AD Authentication in Application Express

Submitted by Niall Litchfield on Sun, 05/13/2007 - 15:33.

This post was curiously quite popular for a while back. I guess people do still want to authenticate APEX users via AD

A recent post on the Oracle XE forum about replacing mod_ntlm as an authentication mechanism for applications on Windows prompted me to write up a mechanism you can use to authenticate users of your application against a Microsoft Active Directory. It works as follows. You create a custom authentication function for HTMLDB this must take two parameters of specific names, and only those two parameters, and return a boolean indicating success or failure. My function merely takes the username and password supplied by the end-user and attempts a simple LDAP bind against AD. By default this will work for all AD users in your organisation and the user will be authenticated. If it fails the user won't be authenticated. The function itself can be downloaded here. A step by step guide is below:

  • Create a new database user U1 – I used the HTMLDB
    interface for user administration.
  • Login as u1 and create demo application

  • Navigate to the sql workshop
  • Load the authenticate_aduser script and edit for the
    domain controller hostname and your domain (in the post windows2000
    format)

  • Run the script

  • You should check that the script was successful

  • Return to your application in application builder and
    choose shared components>authentication schemes and create a new
    authentication scheme from scratch.

  • You only need enter a name for the scheme – I used ad_auth
  • Click the new scheme to edit it, ensure that you enter the
    authentication function as shown below.

  • Now change the authentication scheme to ad_auth and test
    • »

    Automatic login from Internet Explorer

    Submitted by Paul Moore (not verified) on Thu, 07/05/2007 - 14:19.

    This is a great article - I was aware that you could somehow use LDAP to authenticate Windows users, but had never seen enough details to get things working. Thanks for putting it together.
    One difference with this method as compared to mod_ntlm is that the latter (when set up correctly - ie, according to the note I found on the APEX forums!) automatically logs you on, if you're using Internet Explorer and have already logged into the domain. So you get no userid/password prompt, and true single sign on. Is it possible to do this using LDAP, as well?

    »

    It's a long time

    Submitted by Niall Litchfield on Thu, 07/05/2007 - 15:19.

    Since I wrote that article, probably 3 years, so I don't know the answer, but I'd 'expect' that provided your os user is genuinely authenticated through an LDAP service such as AD then it would be possible. As it happens I'm playing around with APEX again just now and will need authentication when our app goes live so I'll see what I can find. Thanks for the feedback.
    Niall Litchfield
    Site Owner
    orawin.info

    »

    I am unable to see the

    Submitted by Brad Moore (not verified) on Thu, 01/03/2008 - 16:32.

    I am unable to see the download and all the pictures but really need the help in using APEX and authenticating using LDAP.  If you could send me the script and pictures or exactly what I need to do to implement LDAP I would be most grateful.
     
    Thanks

    »

    Comment viewing options

    Select your preferred way to display the comments and click "Save settings" to activate your changes.

    Post new comment

    Please solve the math problem above and type in the result. e.g. for 1+1, type 2.
    The content of this field is kept private and will not be shown publicly.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
    • Lines and paragraphs break automatically.

    More information about formatting options