20.4.3.7 LDAP Directory

Authenticate a user and password with an authentication request to a LDAP server.

Note:

To ensure the security and performance of your development environment, this functionality is not available in Oracle APEX instances running in Oracle Cloud.

• About LDAP Directory Verification
  
• Setting Up LDAP Directory Verification
  

20.4.3.7.1 About LDAP Directory Verification

You can configure any authentication scheme that uses a login page to use Lightweight Directory Access Protocol (LDAP) to verify the user name and password submitted on the login page.

App Builder includes wizards and edit pages that explain how to configure this option. These wizards assume that an LDAP directory accessible to your application for this purpose already exists and that it can respond to a SIMPLE_BIND_S call for credentials verification. When you create an LDAP Credentials authentication scheme, the wizard requests and saves the LDAP host name, LDAP port, DN string, and determines whether to use SSL, exact DN, and optionally a search filter if not using exact DN. An optional preprocessing function can be specified to adjust formatting of the user name passed to the API.

20.4.3.7.2 Setting Up LDAP Directory Verification

To set up LDAP Directory:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select LDAP Directory.
8. Under Settings:
   1. Host - Enter the hostname of your LDAP directory server.
   2. Port - Enter the port number of your LDAP directory host. The default is 389.
   3. Use SSL - Choose whether to use SSL to bind to the LDAP directory. If SSL with Authentication is chosen, a wallet must be configured for the Oracle APEX instance.
   4. Distinguished Name (DN) String - Enter the pattern used to construct the fully qualified distinguished name (DN) string to DBMS_LDAP.SIMPLE_BIND_S if using exact DN or the search base if using non-exact DN. Use %LDAP_USER% as a placeholder for the username. For example:

      Exact DN:

      cn=%LDAP_USER%,l=amer,dc=yourdomain,dc=com
      

      Non-Exact DN (Search Base):

      Non-Exact DN (Search Base)
      

   5. Use Distinguished Name (DN) - Choose whether the LDAP Distinguished Name (DN) String is exact or non-exact. If non-exact, LDAP Distinguished Name (DN) is the search base and you must supply a Search Filter.
   6. LDAP Username Edit Function - You may provide additional code to be executed to transform the username into a format perfectly suited to the LDAP directory entry or LDAP username. The bind variable :USERNAME contains the name the end user specified. For example, the following code calls a function which replaces all periods (.) with underscores (_) in the DN string:

      return apex_custom_auth.ldap_dnprep(p_username => :USERNAME);
      

   7. Username Escaping - Choose how Oracle APEX escapes special characters in %LDAP_USER%. The correct value for this attribute depends on the used LDAP server and whether a LDAP Username Edit Function already escapes special characters.

   To learn more about a specific field, see field-level Help.

9. Click Create Authentication Scheme.

   Note:

   If you choose SSL with Authentication as the SSL mode, a wallet must be set up using the Oracle APEX instance settings. Additionally, the root certification of the LDAP server must be imported into that wallet as a trusted certificate.

See Also:

• Configuring Authentication Schemes for an Instance
• Configuring Wallet Information in Oracle APEX Administration Guide
• Using Oracle Wallet Manager in Oracle Database Enterprise User Security Administrator's Guide