Re: Oracle / LDAP ACLs
Date: Thu, 18 Jul 2024 13:35:02 +0300
Message-ID: <CAOW9pnRw93J256mFq5JGtjnh=tnWgHbE6_L5uFWd0XgbfDDCNg_at_mail.gmail.com>
Hi Scott,
If you don't have access to the application code, you can create an AFTER
LOGON schema trigger with filtering conditions like
SYS_CONTEXT('USERENV','HOST'), etc., to debug the session . You can
use the ALTER
SESSION SET TRACEFILE_IDENTIFIER command to mark the sessions and find your
trace files. If you're concerned about the number of trace files that will
be generated, you can enable the logon trigger for a short period and
disable it afterward. Alternatively, you can apply a logic like
MOD(SYS_CONTEXT('USERENV','SESSIONID'),
333) = 0 to filter only a subset of sessions. After debugging the issue, do
not forget to disable the logon trigger.
Regards,
Osman DİNÇ
https://dincosman.com
Scott Canaan <dmarc-noreply_at_freelists.org>, 17 Tem 2024 Çar, 21:59 tarihinde şunu yazdı:
> Unfortunately, I’m not the one running the code and I don’t have access to
> it.
>
>
>
> *Scott Canaan ‘88*
>
> *Sr Database Administrator *Information & Technology Services
> Finance & Administration
>
>
> *Rochester Institute of Technology *o: (585) 475-7886 | f: (585) 475-7520
>
> *srcdco_at_rit.edu <srcdco_at_rit.edu>* | c: (585) 339-8659
>
> *CONFIDENTIALITY NOTE*: The information transmitted, including
> attachments, is intended only for the person(s) or entity to which it is
> addressed and may contain confidential and/or privileged material. Any
> review, retransmission, dissemination or other use of, or taking of any
> action in reliance upon this information by persons or entities other than
> the intended recipient is prohibited. If you received this in error, please
> contact the sender and destroy any copies of this information.
>
>
>
> *From:* Kurt Van Meerbeeck <kurtvm_at_telenet.be>
> *Sent:* Wednesday, July 17, 2024 2:57 PM
> *To:* Scott Canaan <srcdco_at_rit.edu>
> *Cc:* Mikhail Velikikh <mvelikikh_at_gmail.com>; Oracle-L Freelists <
> oracle-l_at_freelists.org>
> *Subject:* Re: Oracle / LDAP ACLs
>
>
>
> If i'm not mistaken - try setting
>
> ALTER SESSION SET EVENTS = '10937 TRACE NAME CONTEXT FOREVER, LEVEL 4';
>
> in your session and retry.
>
>
>
> this will trace the ssl handshake (kind of like java.net.debug=all).
>
> It might be :
>
> - missing root or intermediate certs
>
> - ssl protocol too low (for example sslv3<=>tls1.2/tls1.3)
>
> - or an ssl cipher not supported
>
> in any case the trace should show what the cause is
>
>
>
> cheers
>
> K
>
>
> ------------------------------
>
> *Van: *"Scott Canaan" <dmarc-noreply_at_freelists.org>
> *Aan: *"Mikhail Velikikh" <mvelikikh_at_gmail.com>
> *Cc: *"Oracle-L Freelists" <oracle-l_at_freelists.org>
> *Verzonden: *Woensdag 17 juli 2024 19:06:08
> *Onderwerp: *RE: Oracle / LDAP ACLs
>
>
>
> It seems we got the ACLs figured out.  Now we are getting issues with SSL:
>
>
>
> ORA-31202: DBMS_LDAP: LDAP client/server error: SSL handshake failed
>
>
>
> I was given a cert and I created a wallet for it and did the following:
>
>
>
> begin
>
> DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE('ldap_acl_file.xml','APEX_210200',
> true, 'use-client-certificates');
>
> end;
>
> /
>
> begin
>
>
> DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL('ldap_acl_file.xml','file:/oracle/data/admin/EBSADEVL/wallet/ebsadevl_ldap/');
>
> end;
>
> /
>
>
>
> Any ideas where to go from here?
>
>
>
> *Scott Canaan ‘88*
>
> *Sr Database Administrator *Information & Technology Services
> Finance & Administration
>
>
> *Rochester Institute of Technology *o: (585) 475-7886 | f: (585) 475-7520
>
> *srcdco_at_rit.edu <srcdco_at_rit.edu>* | c: (585) 339-8659
>
> *CONFIDENTIALITY NOTE*: The information transmitted, including
> attachments, is intended only for the person(s) or entity to which it is
> addressed and may contain confidential and/or privileged material. Any
> review, retransmission, dissemination or other use of, or taking of any
> action in reliance upon this information by persons or entities other than
> the intended recipient is prohibited. If you received this in error, please
> contact the sender and destroy any copies of this information.
>
>
>
> *From:* Mikhail Velikikh <mvelikikh_at_gmail.com>
> *Sent:* Monday, July 8, 2024 5:52 PM
> *To:* Scott Canaan <srcdco_at_rit.edu>
> *Cc:* Oracle-L Freelists <oracle-l_at_freelists.org>
> *Subject:* Re: Oracle / LDAP ACLs
>
>
>
> You can set the events below to enable extended debugging of the network
> ACL component:
>
>
>
> alter session set events '10937 level 6:trace[xsacl]';
>
> -- run the problem code causing ORA-24247
>
> -- disable debugging
>
> alter session set events '10937 off:trace[xsacl] off';
>
>
>
> The output of event 10937 is discussed in
> https://berxblog.blogspot.com/2021/05/tracing-network-acls.html
>
>
>
> On a different topic, you have not mentioned your Oracle version but the
> procedures you are using have been deprecated since 12.1:
> https://docs.oracle.com/database/121/ARPLS/d_networkacl_adm.htm#ARPLS74568
>
>
>
> Best regards,
>
> *Mikhail Velikikh*
>
>
>
>
>
>
>
> On Mon, 8 Jul 2024 at 15:01, Scott Canaan <dmarc-noreply_at_freelists.org>
> wrote:
>
> I’m trying to allow Oracle to connect to LDAP using ACLs.  The user that
> requested it is still getting “ORA-24247: network access denied by access
> control list (ACL)”. This is what I’ve tried:
>
>
>
> BEGIN
>
>   DBMS_NETWORK_ACL_ADMIN.create_acl (
>
>     acl          => 'ldap_acl_file.xml',
>
>     description  => 'ACL to grant access to LDAP server',
>
>     principal    => 'APEX_EBA',
>
>     is_grant     => TRUE,
>
>     privilege    => 'connect',
>
>     start_date   => SYSTIMESTAMP,
>
>     end_date     => NULL);
>
> end;
>
> /
>
> begin
>
>   DBMS_NETWORK_ACL_ADMIN.assign_acl (
>
>     acl         => 'ldap_acl_file.xml',
>
>     host        => 'ldap.rit.edu',
>
>     lower_port  => 389,
>
>     upper_port  => NULL);
>
> end;
>
> /
>
>
>
> begin
>
>   DBMS_NETWORK_ACL_ADMIN.assign_acl (
>
>     acl         => 'ldap_acl_file.xml',
>
>     host        => 'ldap.rit.edu',
>
>     lower_port  => 686,
>
>     upper_port  => NULL);
>
>
>
>   COMMIT;
>
> END;
>
> /
>
>
>
> I don’t see what is wrong here.
>
>
>
>
> *Scott Canaan ‘88 *
> *Sr Database Administrator *Information & Technology Services
> Finance & Administration
>
>
> *Rochester Institute of Technology *o: (585) 475-7886 | f: (585) 475-7520
>
> *srcdco_at_rit.edu <srcdco_at_rit.edu>* | c: (585) 339-8659
>
> *CONFIDENTIALITY NOTE*: The information transmitted, including
> attachments, is intended only for the person(s) or entity to which it is
> addressed and may contain confidential and/or privileged material. Any
> review, retransmission, dissemination or other use of, or taking of any
> action in reliance upon this information by persons or entities other than
> the intended recipient is prohibited. If you received this in error, please
> contact the sender and destroy any copies of this information.
>
>
>
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Jul 18 2024 - 12:35:02 CEST
