FAQ
G'day

The environment is APEX in Oracle 10g (Express initially), and Centos Directory Server 8.1.

One of our Apex developers is trying to use LDAP to authenticate users to his application. The complication here is that there are two distinct user groups. One group is the company staff, whereas the other group can contain students, customers, staff and selected members of the public. All users will have records in the same directory server, although not in the same branch of the directory tree. Group 1 (staff) has "administrator" privileges, that is access to all parts of the application. Group 2 can only log in to fill out specially customised forms.

The method proposed to get about this is to attempt to authenticate the user as a staff member first, then to attempt authentication as a member of group 2 and fail if not succeed. For this, it is proposed to use two RDNs, say ou=ourPeople and ou=otherPeople, and do a search/bind with either of them as the base DN in order.

I am thinking that this is not particularly flexible and perhaps there are better solutions out there. If, for instance, in the future management decides that we need a third group, say ou=theOtherMob, then the authentication code will have to be changed. I have tried to find examples or "best practices" online, but found nothing. If you have thoughts or have come across examples on how to set this up, can you please share them?

Cheers,
Tony

Search Discussions

  • Ian Cary at Jul 14, 2011 at 12:04 pm
    You don't say whether you are using OID or not so I'm not sure if this is
    applicable but what I do with OID and Apex is allow the user to
    authenticate and then use HTMLDB_LDAP.IS_MEMBER_OF to obtain the group
    membership. Once you have that it is straightforward to get the application
    to behave differently for different groups.

    Cheers,

    Ian
    ---------+----------------------------->
    dedba_at_tpg.com.au |
    Sent by: |
    oracle-l-bounce_at_fr|
    eelists.org |
    14/07/2011 12:33 |
    Please respond to |
    dedba |
    ---------+----------------------------->
    --------------------------------------------------------------------------------------------------------------------------------------------------|
    To: oracle-l@freelists.org |
    cc: |
    Subject: How to setup authentication for different user groups using APEX and LDAP |
    --------------------------------------------------------------------------------------------------------------------------------------------------|
    G'day

    The environment is APEX in Oracle 10g (Express initially), and Centos
    Directory Server 8.1.

    One of our Apex developers is trying to use LDAP to authenticate users to
    his application. The complication here is that there are two distinct user
    groups. One group is the company staff, whereas the other group can contain
    students, customers, staff and selected members of the public. All users
    will have records in the same directory server, although not in the same
    branch of the directory tree. Group 1 (staff) has "administrator"
    privileges, that is access to all parts of the application. Group 2 can
    only log in to fill out specially customised forms.

    The method proposed to get about this is to attempt to authenticate the
    user as a staff member first, then to attempt authentication as a member of
    group 2 and fail if not succeed. For this, it is proposed to use two RDNs,
    say ou=ourPeople and ou=otherPeople, and do a search/bind with either of
    them as the base DN in order.

    I am thinking that this is not particularly flexible and perhaps there are
    better solutions out there. If, for instance, in the future management
    decides that we need a third group, say ou=theOtherMob, then the
    authentication code will have to be changed. I have tried to find examples
    or "best practices" online, but found nothing. If you have thoughts or have
    come across examples on how to set this up, can you please share them?

    Cheers,
    Tony

    --
    http://www.freelists.org/webpage/oracle-l

    For the latest data on the economy and society consult National Statistics at http://www.ons.gov.uk

    *********************************************************************************

    Please Note: Incoming and outgoing email messages are routinely monitored for compliance with our policy on the use of electronic communications
    *********************************************************************************

    Legal Disclaimer : Any views expressed by the sender of this message are not necessarily those of the Office for National Statistics
    *********************************************************************************

    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
    --
    http://www.freelists.org/webpage/oracle-l
  • De DBA at Jul 14, 2011 at 12:55 pm
    Thanks Ian.

    No, we don't use OID but the CentOS Directory Server (version 8.1), which appears to be a decendant of the Sun Java Enterprise System/iPlanet Directory server.

    The one thing that stands out to me (having worked with the Sun/iPlanet product for a long time) is that there are no unique attributes. In the Sun product, the UID was enforced to be unique (perhaps due to our setup) throughout the database, but the Centos product apparently cannot do this. I'm not sure how that would work if there are two identical UIDs in different OUs, and the app tries to authenticate using the UID (as it does). This is why the developer wants to cascade through the different OUs.

    Perhaps the CentOS DS can enforce uniqueness, but I simply failed to find the howto?

    Cheers,
    Tony
    On 14/07/11 22:04, Ian Cary wrote:
    You don't say whether you are using OID or not so I'm not sure if this is
    applicable but what I do with OID and Apex is allow the user to
    authenticate and then use HTMLDB_LDAP.IS_MEMBER_OF to obtain the group
    membership. Once you have that it is straightforward to get the application
    to behave differently for different groups.

    Cheers,

    Ian


    ---------+----------------------------->
    dedba_at_tpg.com.au |
    Sent by: |
    oracle-l-bounce_at_fr|
    eelists.org |
    14/07/2011 12:33 |
    Please respond to |
    dedba |
    ---------+----------------------------->
    --------------------------------------------------------------------------------------------------------------------------------------------------|
    To: oracle-l@freelists.org |
    cc: |
    Subject: How to setup authentication for different user groups using APEX and LDAP |
    --------------------------------------------------------------------------------------------------------------------------------------------------|



    G'day

    The environment is APEX in Oracle 10g (Express initially), and Centos
    Directory Server 8.1.

    One of our Apex developers is trying to use LDAP to authenticate users to
    his application. The complication here is that there are two distinct user
    groups. One group is the company staff, whereas the other group can contain
    students, customers, staff and selected members of the public. All users
    will have records in the same directory server, although not in the same
    branch of the directory tree. Group 1 (staff) has "administrator"
    privileges, that is access to all parts of the application. Group 2 can
    only log in to fill out specially customised forms.

    The method proposed to get about this is to attempt to authenticate the
    user as a staff member first, then to attempt authentication as a member of
    group 2 and fail if not succeed. For this, it is proposed to use two RDNs,
    say ou=ourPeople and ou=otherPeople, and do a search/bind with either of
    them as the base DN in order.

    I am thinking that this is not particularly flexible and perhaps there are
    better solutions out there. If, for instance, in the future management
    decides that we need a third group, say ou=theOtherMob, then the
    authentication code will have to be changed. I have tried to find examples
    or "best practices" online, but found nothing. If you have thoughts or have
    come across examples on how to set this up, can you please share them?

    Cheers,
    Tony

    --
    http://www.freelists.org/webpage/oracle-l






    For the latest data on the economy and society consult National Statistics at http://www.ons.gov.uk

    *********************************************************************************


    Please Note: Incoming and outgoing email messages are routinely monitored for compliance with our policy on the use of electronic communications
    *********************************************************************************


    Legal Disclaimer : Any views expressed by the sender of this message are not necessarily those of the Office for National Statistics
    *********************************************************************************


    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
    --
    http://www.freelists.org/webpage/oracle-l


    --
    http://www.freelists.org/webpage/oracle-l
  • De DBA at Jul 14, 2011 at 12:58 pm
    Thanks Ian.

    No, we don't use OID but the CentOS Directory Server (version 8.1), which appears to be a decendant of the Sun Java Enterprise System/iPlanet Directory server.

    The one thing that stands out to me (having worked with the Sun/iPlanet product for a long time) is that there are no unique attributes. In the Sun product, the UID was enforced to be unique (perhaps due to our setup) throughout the database, but the Centos product apparently cannot do this. I'm not sure how that would work if there are two identical UIDs in different OUs, and the app tries to authenticate using the UID (as it does). This is why the developer wants to cascade through the different OUs.

    Perhaps the CentOS DS can enforce uniqueness, but I simply failed to find the howto?

    Cheers,
    Tony
    On 14/07/11 22:04, Ian Cary wrote:
    You don't say whether you are using OID or not so I'm not sure if this is
    applicable but what I do with OID and Apex is allow the user to
    authenticate and then use HTMLDB_LDAP.IS_MEMBER_OF to obtain the group
    membership. Once you have that it is straightforward to get the application
    to behave differently for different groups.

    Cheers,

    Ian


    dedba_at_tpg.com.au:

    G'day

    The environment is APEX in Oracle 10g (Express initially), and Centos
    Directory Server 8.1.

    One of our Apex developers is trying to use LDAP to authenticate users to
    his application. The complication here is that there are two distinct user
    groups. One group is the company staff, whereas the other group can contain
    students, customers, staff and selected members of the public. All users
    will have records in the same directory server, although not in the same
    branch of the directory tree. Group 1 (staff) has "administrator"
    privileges, that is access to all parts of the application. Group 2 can
    only log in to fill out specially customised forms.

    The method proposed to get about this is to attempt to authenticate the
    user as a staff member first, then to attempt authentication as a member of
    group 2 and fail if not succeed. For this, it is proposed to use two RDNs,
    say ou=ourPeople and ou=otherPeople, and do a search/bind with either of
    them as the base DN in order.

    I am thinking that this is not particularly flexible and perhaps there are
    better solutions out there. If, for instance, in the future management
    decides that we need a third group, say ou=theOtherMob, then the
    authentication code will have to be changed. I have tried to find examples
    or "best practices" online, but found nothing. If you have thoughts or have
    come across examples on how to set this up, can you please share them?

    Cheers,
    Tony
    --
    http://www.freelists.org/webpage/oracle-l
  • Ian Cary at Jul 14, 2011 at 3:13 pm
    Hi Tony,

    I've a feeling that the HTMLDB_LDAP package is just a wrapper for ldap bind
    calls so the call may still work to your LDAP directory anyway.

    Cheers,

    Ian
    ---------+---------------------------->
    dedba_at_tpg.com.au |
    14/07/2011 13:58 |
    ---------+---------------------------->
    --------------------------------------------------------------------------------------------------------------------------------------------------|
    To: Ian Cary/ONS_at_ONS |
    cc: oracle-l@freelists.org |
    Subject: Re: How to setup authentication for different user groups using APEX and LDAP |
    --------------------------------------------------------------------------------------------------------------------------------------------------|
    Thanks Ian.

    No, we don't use OID but the CentOS Directory Server (version 8.1), which
    appears to be a decendant of the Sun Java Enterprise System/iPlanet
    Directory server.

    The one thing that stands out to me (having worked with the Sun/iPlanet
    product for a long time) is that there are no unique attributes. In the Sun
    product, the UID was enforced to be unique (perhaps due to our setup)
    throughout the database, but the Centos product apparently cannot do this.
    I'm not sure how that would work if there are two identical UIDs in
    different OUs, and the app tries to authenticate using the UID (as it
    does). This is why the developer wants to cascade through the different
    OUs.

    Perhaps the CentOS DS can enforce uniqueness, but I simply failed to find
    the howto?

    Cheers,
    Tony
    On 14/07/11 22:04, Ian Cary wrote:
    You don't say whether you are using OID or not so I'm not sure if this is
    applicable but what I do with OID and Apex is allow the user to
    authenticate and then use HTMLDB_LDAP.IS_MEMBER_OF to obtain the group
    membership. Once you have that it is straightforward to get the
    application
    to behave differently for different groups.

    Cheers,

    Ian


    dedba_at_tpg.com.au:

    G'day

    The environment is APEX in Oracle 10g (Express initially), and Centos
    Directory Server 8.1.

    One of our Apex developers is trying to use LDAP to authenticate users to
    his application. The complication here is that there are two distinct user
    groups. One group is the company staff, whereas the other group can contain
    students, customers, staff and selected members of the public. All users
    will have records in the same directory server, although not in the same
    branch of the directory tree. Group 1 (staff) has "administrator"
    privileges, that is access to all parts of the application. Group 2 can
    only log in to fill out specially customised forms.

    The method proposed to get about this is to attempt to authenticate the
    user as a staff member first, then to attempt authentication as a member of
    group 2 and fail if not succeed. For this, it is proposed to use two RDNs,
    say ou=ourPeople and ou=otherPeople, and do a search/bind with either of
    them as the base DN in order.

    I am thinking that this is not particularly flexible and perhaps there are
    better solutions out there. If, for instance, in the future management
    decides that we need a third group, say ou=theOtherMob, then the
    authentication code will have to be changed. I have tried to find examples
    or "best practices" online, but found nothing. If you have thoughts or have
    come across examples on how to set this up, can you please share them?

    Cheers,
    Tony
    For the latest data on the economy and society consult National Statistics at http://www.ons.gov.uk

    Please Note: Incoming and outgoing email messages are routinely monitored for compliance with our policy on the use of electronic communications

    Legal Disclaimer : Any views expressed by the sender of this message are not necessarily those of the Office for National Statistics

    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
  • Robert Freeman at Jul 15, 2011 at 2:45 am
    So I've posted part four on the Holistic DBA on my blog... Comments welcome.


    http://robertgfreeman.blogspot.com

    Robert G. Freeman
    Master Principal Consultant, Oracle Corporation, Oracle ACE
    Author of various books on RMAN, New Features and this shorter signature line.
    Blog: http://robertgfreeman.blogspot.com

    Note: THIS EMAIL IS NOT AN OFFICIAL ORACLE SUPPORT COMMUNICATION. It is just the
    opinion of one Oracle employee. I can be wrong, have been wrong in the past and
    will be wrong in the future. If your problem is a critical production problem,
    you should always contact Oracle support for assistance. Statements in this
    email in no way represent Oracle Corporation or any subsidiaries and reflect
    only the opinion of the author of this email.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouporacle-l @
categoriesoracle
postedJul 14, '11 at 11:33a
activeJul 15, '11 at 2:45a
posts6
users3
websiteoracle.com

People

Translate

site design / logo © 2022 Grokbase