LDAP Directory Verification in Oracle APEX

Introduction
LDAP directory verification in Oracle APEX allows applications to authenticate users against an external directory service such as Microsoft Active Directory or Oracle Internet Directory. This method centralizes user management and enables APEX to validate credentials without storing usernames or passwords locally. By integrating with LDAP, organizations can enforce consistent security policies, simplify account administration, and support single sign-on environments across multiple enterprise applications.

LDAP directory verification in Oracle APEX allows your application to authenticate users against an external directory server such as Microsoft Active Directory, Oracle Internet Directory, or another LDAP-compliant service. This approach is commonly used in enterprise environments where user credentials are centrally managed. By integrating LDAP with APEX, you can validate usernames and passwords without storing them in the APEX application, and ensure that only authorized users from your organization can access the system.

To set up LDAP authentication in Oracle APEX, go to your application and navigate to Shared Components > Authentication Schemes. Click Create, then choose Based on a Preconfigured Scheme from Gallery. Select LDAP Directory and click Next. Name the scheme, for example “LDAP Corp Directory,” and finish the wizard.

Once the scheme is created, open it to configure the connection. Set the following values based on your directory server:

• Host: The address of the LDAP server (e.g., ldap.mycompany.com)
• Port: Typically 389 for non-SSL, or 636 for SSL connections
• Use SSL: Enable this if your server supports secure connections
• Distinguished Name (DN) String: The format used to bind the user. For example:
  cn=%LDAP_USER%,ou=users,dc=mycompany,dc=com
  or
  uid=%LDAP_USER%,ou=people,dc=mydomain,dc=org

The %LDAP_USER% placeholder is replaced at runtime with the username entered by the user.

Optionally, you can define a Search Filter and Search Base DN if your LDAP requires a lookup to locate the full DN before binding. For example:

• Search Filter: (sAMAccountName=%LDAP_USER%)
• Search Base DN: ou=users,dc=mycompany,dc=com

Test the configuration by using the Test LDAP Connection button available in the scheme settings. Enter a sample username and password to confirm that authentication works as expected.

In your login page, use items like P101_USERNAME and P101_PASSWORD for users to enter their credentials. APEX will automatically use the LDAP authentication scheme to validate these values.

You can also define a Post-Authentication Procedure in PL/SQL to set additional session state or load user-specific data after successful login. Example:

BEGIN

  SELECT department INTO :APP_DEPARTMENT

  FROM company_users

  WHERE username = :APP_USER;

END;

To restrict access further, you can implement Authorization Schemes that check user roles or LDAP group membership stored in a separate table or retrieved via PL/SQL.

LDAP authentication keeps user credentials centralized and aligns APEX security with organizational IT policies. However, the LDAP server must be properly configured and accessible from the APEX runtime environment, and secure connections (via SSL) should always be used in production.

By using LDAP directory verification in Oracle APEX, you streamline authentication, reduce duplicate account management, and provide a secure, integrated login experience for users within your organization.

Overview:
Oracle APEX allows authentication using Lightweight Directory Access Protocol (LDAP), enabling user credentials (username and password) to be validated against an LDAP directory. This approach is ideal for organizations that manage users centrally through an LDAP server, such as Microsoft Active Directory, Oracle Internet Directory (OID), or OpenLDAP.

You can configure LDAP authentication for any authentication scheme that utilizes a login page. Oracle APEX provides wizards and configuration pages to streamline the setup process. However, before proceeding, ensure that:

• An LDAP directory is accessible to your application.
• The LDAP server supports SIMPLE_BIND_S for credential verification.

 

How LDAP Directory Verification Works

When you create an LDAP Credentials authentication scheme, APEX prompts you to provide LDAP connection details, including:

1. LDAP Server Hostname – The address of the LDAP server.
2. LDAP Port – Typically 389 (non-SSL) or 636 (SSL).
3. Distinguished Name (DN) String – The user’s directory path.
4. SSL Configuration – Whether to use Secure Sockets Layer (SSL) for encryption.
5. Exact DN vs. Search Filter: 

• If using Exact DN, user authentication is performed against a specific directory path.
• If not using Exact DN, an optional Search Filter can be configured to locate the user dynamically.
5. Optional Preprocessing Function – A function to modify or format the username before passing it to the API.

 

Setting Up LDAP Authentication in Oracle APEX

To configure LDAP authentication:

1. Navigate to the Authentication Schemes Page:

• Open App Builder.
• Select an application.
• On the Application home page, go to Shared Components.
• Under Security, select Authentication Schemes.
1. Create a New LDAP Authentication Scheme:
• Click Create.
• Choose Based on a pre-configured scheme from the gallery, then click Next.
2. Define Authentication Details:
• Name: Enter a descriptive name for the authentication scheme.
• Scheme Type: Select LDAP Directory.
3. Enter LDAP Connection Settings:
• LDAP Hostname: Specify the IP address or fully qualified domain name (FQDN) of the LDAP server.
• LDAP Port: 

• Use 389 for a standard connection.
• Use 636 for an SSL-secured connection.
• Use SSL: Select Yes to enable SSL encryption if required.
4. Specify User Search Settings:
• Distinguished Name (DN) String: Provide the user’s directory path.
• Exact DN Matching: 
• If enabled, APEX will use the DN string as provided.
• If disabled, you can configure a search filter to locate the user dynamically.
• Search Filter (if not using Exact DN): 
• A search filter defines how users are found in the directory. Example: 

(sAMAccountName=%LDAP_USER%)

·         Here, %LDAP_USER% is a placeholder replaced by the username entered on the login page.

6.            (Optional) Configure a Preprocessing Function:

• Define a PL/SQL function to modify or format the username before authentication.
• This is useful for cases where usernames need normalization, such as adding a domain prefix.

7.            Save and Activate the Authentication Scheme:

• Click Create Authentication Scheme.
• Set this scheme as Current to activate it.

 Advantages of LDAP Authentication in APEX

• Centralized User Management – Users and credentials are managed in Active Directory or another LDAP server, eliminating the need for application-specific user accounts.
• Single Sign-On (SSO) Compatibility – Works well with enterprise SSO implementations.
• Secure Authentication – Supports SSL/TLS encryption for secure communication between APEX and the LDAP server.
• Flexible User Lookup – Can authenticate using Exact DN or custom search filters.

By leveraging LDAP authentication, organizations can seamlessly integrate Oracle APEX with their existing identity management infrastructure while maintaining a secure and scalable authentication model.

Conclusion
Using LDAP directory verification in Oracle APEX enhances security and streamlines user access by relying on a centralized, trusted directory service. It eliminates the need to maintain separate user accounts within APEX and supports compliance with enterprise authentication standards. When properly configured, LDAP integration offers a seamless and secure login experience for users while giving administrators tighter control over access and user lifecycle management.