LDAP Authentication Scheme With SSL Not Working

(Doc ID 2347957.1)

Last updated on JANUARY 14, 2018

Applies to:

Oracle Application Express (APEX) - Version 5.0.4.00.12 and later
Information in this document applies to any platform.

Symptoms

When attempting to test and LDAP connection to an Active Directory LDAP server using SSL, the request fails with the following:


ERROR
-----------------------
 1 error has occurred

  Authentication failed

  ORA-31202: DBMS_LDAP: LDAP client/server error: Can't contact LDAP server


The same request runs without error when not using SSL.
The correct wallet has been implemented in the database and reference in the APEX instance settings.


STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Create an LDAP based authentication scheme, and add the LDAP parameters to Development page p=4000:
2. Click the test login button. The error appears.

 

The following call also fails in SQLPlus:
declare
l_ldap_host VARCHAR2(256) := 'ldaps.example.com';
l_ldap_port VARCHAR2(256) := '636';
l_username VARCHAR2(256) := '<USERNAME>';
l_password VARCHAR2(256) := '<PASSWORD';
-- l_ldap_base VARCHAR2(256) := 'dc=example,dc=com';
l_dn_prefix VARCHAR2(100) := 'GA\'; -- Amend as desired'.

l_retval PLS_INTEGER;
l_session DBMS_LDAP.session;
BEGIN
IF l_username IS NULL OR l_password IS NULL THEN
RAISE_APPLICATION_ERROR(-20000, 'Credentials must be specified.');
END IF;

-- Choose to raise exceptions.
DBMS_LDAP.use_exception := TRUE;

-- Connect to the LDAP server.
l_session := DBMS_LDAP.init(hostname => l_ldap_host,
portnum => l_ldap_port);

dbms_output.put_line ( 'connected' ) ;

l_retval := DBMS_LDAP.open_ssl (ld => l_session,
sslwrl => 'file:/u01/app/oracle/owm/wallets/oracle',
sslwalletpasswd => '<PASSWORD>',
sslauth => 2);

dbms_output.put_line ( 'ssl opened' ) ;

l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_dn_prefix || l_username,
passwd => l_password);

-- No exceptions mean you are authenticated.
dbms_output.put_line ( 'authenticated' ) ;

END;
/

SQL> @auth
connected
declare
*
ERROR at line 1:
ORA-31202: DBMS_LDAP: LDAP client/server error: SSL handshake failed
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1489
ORA-06512: at "SYS.DBMS_LDAP", line 1266
ORA-06512: at line 26




Impact

The customer is unable to use LDAP server with SSL and APEX.

Changes

The host name used for HTTP calls is not the same host name associated with the SSL certificate implemented on the LDAP server.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms