1. Administration Guide
  2. Oracle APEX Administration Services
  3. Configuring Security
  4. Configuring Authentication Controls for an Instance
  5. Configuring Authentication Schemes for an Instance
  6. Editing LDAP Directory

3.4.7.3.4 Editing LDAP Directory

Edit the LDAP Directory authentication scheme for an instance.

You can configure any authentication scheme that uses a login page to use Lightweight Directory Access Protocol (LDAP) to verify the user name and password submitted on the login page.

An LDAP Credentials authentication scheme, requires an LDAP host name, LDAP port, Distinguished Name (DN) string, and determines whether to use SSL, exact DN, and optionally a search filter if not using exact DN. An optional preprocessing function can be specified to adjust formatting of the user name passed to the API.

To edit LDAP Directory:

  1. Sign in to Oracle APEX Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Under Authentication Control, scroll down to Development Environment Authentication Schemes.
    The Status column indicates if the authentication scheme designated as Current.
  5. Find LDAP Directory and click Edit.
    The Edit Scheme page appears.
  6. Click Make Current Scheme to have applications identify and verify the user using this authentication scheme.
  7. Under Edit Authentication Scheme:
    • PL/SQL Code - Enter a PL/SQL anonymous block of code that contains procedures for pre- and post-authentication entry points. To improve performance, you can also store this code in a PL/SQL package in the database.
    • Pre-Authentication Procedure Name - Specify the name of a procedure to be executed after the login page is submitted and just before credentials verification is performed. The procedure can be defined in the PL/SQL Code attribute or within the database.

      Authentication schemes where user credentials checking is done outside of Oracle APEX typically do not execute the Pre-Authentiation procedure. Examples include HTTP Header Variable, Oracle Application Server Single Sign-On and custom authentication schemes that use APEX_AUTHENTICATION.POST_LOGIN instead of APEX_AUTHENTICATION.LOGIN.

    • Post-Authentication Procedure Name - Specify the name of a procedure to be executed by the Oracle APEX LOGIN procedure after the authentication step (login credentials verification). The LOGIN procedure will execute this code after it performs its normal duties, which include setting a cookie and registering the session, but before it redirects to the desired application page. The procedure can be defined in the PL/SQL Code attribute or within the database.
  8. Under Authentication Scheme Attributes:

    Tip:

    To learn more about an attribute, see field-level Help.
    • Host - Enter the hostname of your LDAP directory server.
    • Port - Specify the port number of your LDAP directory host. The default is 389.
    • Use SSL - Choose whether to use SSL to bind to the LDAP directory. If SSL with Authentication is chosen, a wallet must be configured for the Oracle APEX instance.
    • Distinguished Name (DN) String - Enter the pattern used to construct the fully qualified distinguished name (DN) string to DBMS_LDAP.SIMPLE_BIND_S if using exact DN or the search base if using non-exact DN. Use %LDAP_USER% as a placeholder for the username. Examples:

      Exact DN:

      cn=%LDAP_USER%,l=amer,dc=yourdomain,dc=com

      Non-Exact DN (Search Base)

      dc=yourdomain,dc=com

    • Search Filter - Enter the search filter when not using an exact distinguished name (DN). Use %LDAP_USER% as a place-holder for the username. For example:

      cn=%LDAP_USER%

    • LDAP Username Edit Function - You may provide additional code to be executed to transform the username into a format perfectly suited to the LDAP directory entry or LDAP username. The bind variable :USERNAME contains the name the end user specified. For example, the following code calls a function which replaces all "."'s with "_"'s in the DN string:

      return apex_custom_auth.ldap_dnprep(p_username => :USERNAME);

      &PRODUCT_NAME. will escape the returned username based on the authentication attribute Username Escaping.

    • Username Escaping - Before replacing %LDAP_USER% in the LDAP distinguished name and search string, Oracle APEX can automatically escape special characters in the username. Options include:

      • Standard - Escape special characters based on RFC 4514 (for distinguished names) and RFC 4515 (for search strings). Additionally, escape Unicode characters. This is the most secure setting, but may cause problems with some LDAP servers.

      • Only special characters - Escape special characters based on RFC 4514 (for distinguished names) and RFC 4515 (for search strings). Do not escape unicode characters.

      • No escaping - Do not escape any characters. This setting is potentially insecure, unless a Username Edit Function is employed that already escapes the username (for example with apex_escape.ldap_dn or apex_escape.ldap_search_filter).

  9. To save your changes, click Apply Changes.

Parent topic: Configuring Authentication Schemes for an Instance