Edit the LDAP Directory authentication scheme for an instance.
You can configure any authentication scheme that uses a login page to use Lightweight Directory Access Protocol (LDAP) to verify the user name and password submitted on the login page.
An LDAP Credentials authentication scheme, requires an LDAP host name, LDAP port, Distinguished Name (DN) string, and determines whether to use SSL, exact DN, and optionally a search filter if not using exact DN. An optional preprocessing function can be specified to adjust formatting of the user name passed to the API.
To edit LDAP Directory:
- Sign in to Oracle APEX Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Under Authentication Control, scroll down to Development Environment
Authentication Schemes. The Status column indicates if the authentication scheme designated as Current.
- Find LDAP Directory and click
Edit.The Edit Scheme page appears.
- Click Make Current Scheme to have applications identify and verify the user using this authentication scheme.
- Under Edit Authentication Scheme:
- PL/SQL Code - Enter a PL/SQL anonymous block of code that contains procedures for pre- and post-authentication entry points. To improve performance, you can also store this code in a PL/SQL package in the database.
- Pre-Authentication Procedure Name - Specify the name of a
procedure to be executed after the login page is submitted and just before
credentials verification is performed. The procedure can be defined in the
PL/SQL Code attribute or within the database.
Authentication schemes where user credentials checking is done outside of Oracle APEX typically do not execute the Pre-Authentiation procedure. Examples include HTTP Header Variable, Oracle Application Server Single Sign-On and custom authentication schemes that use
- Post-Authentication Procedure Name - Specify the name of a
procedure to be executed by the Oracle APEX
LOGINprocedure after the authentication step (login credentials verification). The
LOGINprocedure will execute this code after it performs its normal duties, which include setting a cookie and registering the session, but before it redirects to the desired application page. The procedure can be defined in the PL/SQL Code attribute or within the database.
- Under Authentication Scheme Attributes:
Tip:To learn more about an attribute, see field-level Help.
- Host - Enter the hostname of your LDAP directory server.
- Port - Specify the port number of your LDAP directory host. The default is 389.
- Use SSL - Choose whether to use SSL to bind to the LDAP directory. If SSL with Authentication is chosen, a wallet must be configured for the Oracle APEX instance.
- Distinguished Name (DN) String - Enter the pattern used to construct the
fully qualified distinguished name (DN) string to
DBMS_LDAP.SIMPLE_BIND_Sif using exact DN or the search base if using non-exact DN. Use
%LDAP_USER%as a placeholder for the username. Examples:
Non-Exact DN (Search Base)
- Search Filter - Enter the search filter when not using an exact
distinguished name (DN). Use
%LDAP_USER%as a place-holder for the username. For example:
- LDAP Username Edit Function - You may provide additional code to be
executed to transform the username into a format perfectly suited to the
LDAP directory entry or LDAP username. The bind variable
:USERNAMEcontains the name the end user specified. For example, the following code calls a function which replaces all
"_"'sin the DN string:
return apex_custom_auth.ldap_dnprep(p_username => :USERNAME);
&PRODUCT_NAME.will escape the returned username based on the authentication attribute Username Escaping.
- Username Escaping - Before replacing
%LDAP_USER%in the LDAP distinguished name and search string, Oracle APEX can automatically escape special characters in the username. Options include:
Standard - Escape special characters based on RFC 4514 (for distinguished names) and RFC 4515 (for search strings). Additionally, escape Unicode characters. This is the most secure setting, but may cause problems with some LDAP servers.
Only special characters - Escape special characters based on RFC 4514 (for distinguished names) and RFC 4515 (for search strings). Do not escape unicode characters.
No escaping - Do not escape any characters. This setting is potentially insecure, unless a Username Edit Function is employed that already escapes the username (for example with
apex_escape.ldap_dn or apex_escape.ldap_search_filter).
- To save your changes, click Apply Changes.