RE: Oracle / LDAP ACLs
Date: Wed, 17 Jul 2024 18:58:21 +0000
Message-ID: <CH3PR16MB5897C4DE460E849C17A1C43DC5A32_at_CH3PR16MB5897.namprd16.prod.outlook.com>
It seems we got the ACLs figured out. Now we are getting issues with SSL:
ORA-31202: DBMS_LDAP: LDAP client/server error: SSL handshake failed
I was given a cert and I created a wallet for it and did the following:
begin
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE('ldap_acl_file.xml','APEX_210200', true, 'use-client-certificates');
end;
/
begin
DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('ldap_acl_file.xml','file:/oracle/data/admin/EBSADEVL/wallet/ebsadevl_ldap/');
end;
/
Any ideas where to go from here?
Scott Canaan ‘88
Sr Database Administrator
Information & Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-7886 | f: (585) 475-7520
srcdco_at_rit.edu<mailto:srcdco_at_rit.edu> | c: (585) 339-8659
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
From: Mikhail Velikikh <mvelikikh_at_gmail.com<mailto:mvelikikh_at_gmail.com>>
Sent: Monday, July 8, 2024 5:52 PM
To: Scott Canaan <srcdco_at_rit.edu<mailto:srcdco_at_rit.edu>>
Cc: Oracle-L Freelists <oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>>
Subject: Re: Oracle / LDAP ACLs
You can set the events below to enable extended debugging of the network ACL component:
alter session set events '10937 level 6:trace[xsacl]';
-- run the problem code causing ORA-24247
-- disable debugging
alter session set events '10937 off:trace[xsacl] off';
The output of event 10937 is discussed in https://berxblog.blogspot.com/2021/05/tracing-network-acls.html
On a different topic, you have not mentioned your Oracle version but the procedures you are using have been deprecated since 12.1: https://docs.oracle.com/database/121/ARPLS/d_networkacl_adm.htm#ARPLS74568
Best regards,
Mikhail Velikikh
On Mon, 8 Jul 2024 at 15:01, Scott Canaan <dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>> wrote: I’m trying to allow Oracle to connect to LDAP using ACLs. The user that requested it is still getting “ORA-24247: network access denied by access control list (ACL)”. This is what I’ve tried:
BEGIN
DBMS_NETWORK_ACL_ADMIN.create_acl (
acl => 'ldap_acl_file.xml', description => 'ACL to grant access to LDAP server', principal => 'APEX_EBA', is_grant => TRUE, privilege => 'connect', start_date => SYSTIMESTAMP, end_date => NULL);
end;
/
begin
DBMS_NETWORK_ACL_ADMIN.assign_acl (
acl => 'ldap_acl_file.xml', host => 'ldap.rit.edu<http://ldap.rit.edu>', lower_port => 389, upper_port => NULL);
end;
/
begin
DBMS_NETWORK_ACL_ADMIN.assign_acl (
acl => 'ldap_acl_file.xml', host => 'ldap.rit.edu<http://ldap.rit.edu>', lower_port => 686, upper_port => NULL);
COMMIT;
END;
/
I don’t see what is wrong here.
Scott Canaan ‘88
Sr Database Administrator
Information & Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-7886 | f: (585) 475-7520
srcdco_at_rit.edu<mailto:srcdco_at_rit.edu> | c: (585) 339-8659
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Jul 17 2024 - 20:58:21 CEST