| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: ldap authentication
Here it is. Obviously some customization will be necessary for your
directory's structure.
CREATE OR REPLACE PROCEDURE LDAP_AUTHENTICATE (i_username IN VARCHAR2, i_password IN VARCHAR2) RETURN BOOLEAN AS
c_Directory CONSTANT VARCHAR2(50) := <address of directory>; c_Port CONSTANT NUMBER(4) := 389; c_BaseDN CONSTANT VARCHAR2(200) := <base DN (where to startlooking)>;
v_session DBMS_LDAP.SESSION; v_success PLS_INTEGER; v_attributes DBMS_LDAP.STRING_COLLECTION; v_result DBMS_LDAP.MESSAGE; v_userdn VARCHAR2(2000);
BEGIN
--Open initial lookup session.
v_session := DBMS_LDAP.INIT(c_Directory,c_Port);
v_success := DBMS_LDAP.SIMPLE_BIND_S(v_session, c_InitUser, c_InitPass);
IF v_success = DBMS_LDAP.SUCCESS THEN
--Retrieve user's DN. I look in both sAMAccountName and mailNickname
for a match to the username.
v_attributes(1) := NULL;
v_success := DBMS_LDAP.SEARCH_S(ld => v_session,
base => c_BaseDN,
scope => dbms_ldap.scope_subtree,
filter => '(|(sAMAccountName=' ||
i_Username || ')(mailNickname=' || i_Username || '))',
attrs => v_attributes,
attronly => 0,
res => v_result);
IF v_success = DBMS_LDAP.SUCCESS THEN
--Get the first DN that was returned.
v_userdn :=
dbms_ldap.get_dn(v_session,dbms_ldap.first_entry(v_session,v_result));
IF v_userdn IS NOT NULL THEN
--We have their dn, so we can now try to authenticate them.
v_success := dbms_ldap.unbind_s(v_session);
v_session := dbms_ldap.init(c_Directory,c_Port);
v_success := dbms_ldap.simple_bind_s(v_session, v_userdn,
i_password);
END IF;
> From: "Goulet, Dick" <DGoulet_at_vicr.com>
> Date: Fri, 26 Aug 2005 11:19:56 -0400
> To: <jheinrich_at_pcci.edu>, <stellr_at_cns.vt.edu>, oracle-l
> <oracle-l_at_freelists.org>
> Subject: RE: ldap authentication
>
> Jason,
>
> Would you care to share that proof of concept code???
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Jason Heinrich
> Sent: Friday, August 26, 2005 11:16 AM
> To: stellr_at_cns.vt.edu; oracle-l
> Subject: Re: ldap authentication
>
> The article in question is talking about logging into an application
> (especially an HTMLDB application), not logging into the database. The
> assumption is that the application is already connected/authenticated
> with
> the database. The only software requirement for the LDAP authentication
> then is an Oracle database with the DBMS_LDAP package, which comes with
> Standard edition.
>
> I did something like this last month as a proof-of-concept for
> authenticating against our Active Directory. Basically it involves
> connecting to AD as a read-only lookup user, retrieving the user's DN,
> then
> attempting to reconnect to AD as that DN with the user-supplied
> password.
> If the second connection worked, we return TRUE that they're
> authenticated.
>
> ---------------
> Jason Heinrich
> Oracle Database Administrator
> Pensacola Christian College
> (850) 478-8496 x2509
> jheinrich_at_pcci.edu
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Aug 26 2005 - 11:03:59 CDT
 |
 |