LDAP Authentication Scheme With SSL Not Working

(Doc ID 2347957.1)

Last updated on JANUARY 14, 2018

Applies to:

Oracle Application Express (APEX) - Version and later
Information in this document applies to any platform.


When attempting to test and LDAP connection to an Active Directory LDAP server using SSL, the request fails with the following:

 1 error has occurred

  Authentication failed

  ORA-31202: DBMS_LDAP: LDAP client/server error: Can't contact LDAP server

The same request runs without error when not using SSL.
The correct wallet has been implemented in the database and reference in the APEX instance settings.

The issue can be reproduced at will with the following steps:
1. Create an LDAP based authentication scheme, and add the LDAP parameters to Development page p=4000:
2. Click the test login button. The error appears.


The following call also fails in SQLPlus:
l_ldap_host VARCHAR2(256) := 'ldaps.example.com';
l_ldap_port VARCHAR2(256) := '636';
l_username VARCHAR2(256) := '<USERNAME>';
l_password VARCHAR2(256) := '<PASSWORD';
-- l_ldap_base VARCHAR2(256) := 'dc=example,dc=com';
l_dn_prefix VARCHAR2(100) := 'GA\'; -- Amend as desired'.

l_retval PLS_INTEGER;
l_session DBMS_LDAP.session;
IF l_username IS NULL OR l_password IS NULL THEN
RAISE_APPLICATION_ERROR(-20000, 'Credentials must be specified.');

-- Choose to raise exceptions.
DBMS_LDAP.use_exception := TRUE;

-- Connect to the LDAP server.
l_session := DBMS_LDAP.init(hostname => l_ldap_host,
portnum => l_ldap_port);

dbms_output.put_line ( 'connected' ) ;

l_retval := DBMS_LDAP.open_ssl (ld => l_session,
sslwrl => 'file:/u01/app/oracle/owm/wallets/oracle',
sslwalletpasswd => '<PASSWORD>',
sslauth => 2);

dbms_output.put_line ( 'ssl opened' ) ;

l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_dn_prefix || l_username,
passwd => l_password);

-- No exceptions mean you are authenticated.
dbms_output.put_line ( 'authenticated' ) ;


SQL> @auth
ERROR at line 1:
ORA-31202: DBMS_LDAP: LDAP client/server error: SSL handshake failed
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1489
ORA-06512: at "SYS.DBMS_LDAP", line 1266
ORA-06512: at line 26


The customer is unable to use LDAP server with SSL and APEX.


The host name used for HTTP calls is not the same host name associated with the SSL certificate implemented on the LDAP server.


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms