LDAP Authentication Scheme With SSL Not Working
(Doc ID 2347957.1)
Last updated on FEBRUARY 09, 2023
Applies to:
Oracle Application Express (APEX) - Version 5.0.4.00.12 and laterOracle Database Exadata Cloud Machine - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Database Cloud Exadata Service - Version N/A and later
Oracle Database Cloud Service - Version N/A and later
Information in this document applies to any platform.
Symptoms
When attempting to test and LDAP connection to an Active Directory LDAP server using SSL, the request fails with the following:
ERROR
-----------------------
1 error has occurred
Authentication failed
ORA-31202: DBMS_LDAP: LDAP client/server error: Can't contact LDAP server
The same request runs without error when not using SSL.
The correct wallet has been implemented in the database and reference in the APEX instance settings.
STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Create an LDAP based authentication scheme, and add the LDAP parameters to Development page p=4000:
2. Click the test login button. The error appears.
The following call also fails in SQLPlus:
declare
l_ldap_host VARCHAR2(256) := 'ldaps.example.com';
l_ldap_port VARCHAR2(256) := '636';
l_username VARCHAR2(256) := '<USERNAME>';
l_password VARCHAR2(256) := '<PASSWORD';
-- l_ldap_base VARCHAR2(256) := 'dc=example,dc=com';
l_dn_prefix VARCHAR2(100) := 'GA\'; -- Amend as desired'.
l_retval PLS_INTEGER;
l_session DBMS_LDAP.session;
BEGIN
IF l_username IS NULL OR l_password IS NULL THEN
RAISE_APPLICATION_ERROR(-20000, 'Credentials must be specified.');
END IF;
-- Choose to raise exceptions.
DBMS_LDAP.use_exception := TRUE;
-- Connect to the LDAP server.
l_session := DBMS_LDAP.init(hostname => l_ldap_host,
portnum => l_ldap_port);
dbms_output.put_line ( 'connected' ) ;
l_retval := DBMS_LDAP.open_ssl (ld => l_session,
sslwrl => 'file:/u01/app/oracle/owm/wallets/oracle',
sslwalletpasswd => '<PASSWORD>',
sslauth => 2);
dbms_output.put_line ( 'ssl opened' ) ;
l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_dn_prefix || l_username,
passwd => l_password);
-- No exceptions mean you are authenticated.
dbms_output.put_line ( 'authenticated' ) ;
END;
/
SQL> @auth
connected
declare
*
ERROR at line 1:
ORA-31202: DBMS_LDAP: LDAP client/server error: SSL handshake failed
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1489
ORA-06512: at "SYS.DBMS_LDAP", line 1266
ORA-06512: at line 26
Impact
The customer is unable to use LDAP server with SSL and APEX.
Changes
The host name used for HTTP calls is not the same host name associated with the SSL certificate implemented on the LDAP server.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |