Tags: active, apex, connects, database, directory, expiration, expire, flag, function, ldap, mysql, oracle, password, sql, user
LDAP Function Connects to AD - Password expiration
We have a function that connects APEX to Active Directory. When the user password is about to expire in active directory, the flag is changed to 1. This is causing the user login with APEX to fail. How can we prevent this?
Leave a comment...
- 1 Comments
>>We have a function that connects APEX to Active Directory.
Your application may be connecting and using AD but APEX does not connect to anything.
When the user password is about to expire in active directory, the flag is changed to 1.
"the flag" ? What flag?
>>This is causing the user login with APEX to fail.
Are you using LDAP (AD) as part of your authentication scheme to authenticate users to your application or only to do other lookups after the user has already logged in, presumably with a non-LDAP method?
I don't know what your code looks like exactly but the call to dbms_ldap.simple_bind_s (or the equivalent if you did something special to access AD) is raising an exception and this would cause your application's authentication function to return false (assuming you are using AD to authenticate). If you using LDAP for other lookups, I don't know what you mean by "This is causing the user login with APEX to fail."
>>How can we prevent this?
What do you want to happen instead?
If the simple_bind_s call is getting an exception from which you can discern the imminent password expiration situation, then you could put a process on your login page to first try that call using the username/password and if you catch the exception you're looking for, redirect to a site where the user can update the password. This does not meet your requirement, however, to "prevent" the login from failing.
You will want to start your experiment using SQL*Plus and the following code and adapt it so that it can access AD (I don't have an example, sorry). This takes Application Express out of the picture since your problem is not related to Application Express facilities directly, but is simply a matter of getting code in your application to work properly with AD.
set serveroutput on
l_retval := -1;
dbms_ldap.use_exception := TRUE;
l_ldap_host := 'xxxx.yyyy.com';
l_ldap_port := '389';
l_ldap_user := 'cn=SOME-USER-NAME-HERE,l=xxxx,dc=dddd,dc=ccc';
l_ldap_passwd := 'THE-PASSWORD-HERE';
l_session := dbms_ldap.init( l_ldap_host, l_ldap_port );
l_retval := dbms_ldap.simple_bind_s( l_session, l_ldap_user, l_ldap_passwd );
dbms_output.put_line( 'Return value: ' || l_retval );
l_retval := dbms_ldap.unbind_s( l_session );
Only after you figure out the protocol/handshaking and get your code to work in SQL*Plus should you try to incorporate it into your Application Express application.
Scott#1; Sat, 23 Feb 2008 14:43:00 GMT