LDAP Authentication with APEX

Here is a quick tutorial on how to set up LDAP authentication with Oracle Application Express 4.1.1.
Let’s assume that my LDAP server is ldap.mydomain.com on port 389. The ou group is “People”.
The first thing you need to do if working with Oracle database 11G, is to set up an access control list (ACL) for the Apex schema, so it can resolve and connect to the LDAP server. This step is not neccessary in database 10G.

Now configue a new authentication scheme in Application Express to authenticate via LDAP.

In your Apex application go to Shared Components -> Authentication Schemes, and click the Create button.

Choose the radio button Based on a pre-configured scheme from the gallery, and click Next.

Provide a name, for example LDAP Authentication.

Select the scheme type LDAP Directory.

Now the new Settings region appears. Fill in the values as in the example below, and make substitutions to host, domain, ou, etc. as necessary.

Note that the substitution string %LDAP_USER% will contain the username that you will enter in the login screen.

For Microsoft Active Directory the entry is slightly different (make substitutions as necessary). Note that in this example, the Active Directory server name is ad.mydomain.com.


Once all fields are filled in, click the Create button. You should now see the newly created authentication screen in the list, and marked as Current.

Now try to log into your application.

If you have trouble logging in, you can use the PL/SQL procedure below to trap any error messages:

13 thoughts on “LDAP Authentication with APEX

  • February 16, 2013 at 8:51 pm
    Permalink

    Thanks Man. Great Post. Appreciated indeed!!

    Reply
  • April 22, 2013 at 1:23 am
    Permalink

    hi,
    what the “l_principal VARCHAR2(30) := ‘APEX_040100’;” means?
    i am usin apex 4.2, what should i put here as a value?

    Regards.

    Reply
    • April 23, 2013 at 9:07 am
      Permalink

      Muhammad,
      the principal is the schema to which access privileges are granted. If you’re using Apex 4.2, it would be APEX_040200.

      Regards,
      Christoph

      Reply
  • September 24, 2013 at 5:50 am
    Permalink

    Thanks for this post! DN String for Microsoft Active Directory works perfect!

    Reply
  • January 22, 2014 at 3:02 pm
    Permalink

    Thanks for the post. I now have users logging in through their LDAP account. Great job!

    Reply
  • July 15, 2014 at 7:52 am
    Permalink

    Hi,

    Thanks for the post.

    I’m referring to the ‘ad.mydomain.com.’ example. In the LDAP settings you have mydomain\ %LDAP_USER%, would “mydomain” be the part in ad.mydomain.com?

    For example, if my Active Directory domain is ad.example.com would my domain be example?

    Also, is this %LDAP_USER% an apex built in variable and the value in it is the actual the username when the user log in?

    Thanks

    Reply
    • July 15, 2014 at 8:13 am
      Permalink

      Dude,
      you are correct. In your example, “example” would be the domain. The %LDAP_USER% holds the value of the username from the login page.

      Cheers,
      Christoph

      Reply
  • May 6, 2015 at 3:50 pm
    Permalink

    Thanks for the detail explanation. I just have one question. %LDAP_USER% will allow all the LDAP users to access the application. If only a particular groups in Active Directory say (accounting and finance) need to access the application, how do we restrict the users?

    Reply
  • May 7, 2015 at 6:06 am
    Permalink

    Hi dear,
    you have explained only one ou which is PEOPLE, what if i have more than 1 ou? and inside these ou, i have child ou as well…
    for example, i have main ou is HCT, under hct i have STAFF, under staff i have ETC, under ETC i have CSS.
    come back to HCT, under hct i have STUDENT, under student i have IT…. and so on.

    please guide me.

    thank you.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *