Introduction
Setting up LDAP directory verification in Oracle APEX allows you to
authenticate users against an external directory service such as Microsoft
Active Directory or Oracle Internet Directory. This method helps centralize
user authentication, enforce consistent security policies, and eliminate the
need to manage separate login credentials within your APEX application. It is a
practical solution for enterprise environments where secure and unified access
control is essential.
Setting up LDAP directory verification in Oracle APEX enables your application to authenticate users against an external directory service such as Microsoft Active Directory, Oracle Internet Directory, or any LDAP-compliant server. This method helps you maintain centralized user management and enforce enterprise security policies while reducing the need to store or manage user credentials within the application.
To begin, open your application and go to Shared Components > Authentication Schemes. Click Create, then choose Based on a Preconfigured Scheme from Gallery. Select LDAP Directory from the list of available options and click Next. Provide a name for your scheme, such as “Corporate LDAP Login,” and complete the wizard. After creation, click the scheme name to edit its settings.
In the authentication scheme settings, you will find several important fields that must be configured:
- LDAP Host: Enter the hostname or IP address of your LDAP server (e.g., ldap.company.com).
- LDAP Port: Use port 389 for a standard connection or 636 if your server requires SSL.
- Use SSL: Check this box if your directory server enforces secure LDAP (LDAPS).
- Distinguished Name (DN) String: This is the pattern used to bind (authenticate) the user. A common format is:
· cn=%LDAP_USER%,ou=users,dc=company,dc=com
or
uid=%LDAP_USER%,ou=people,dc=company,dc=org
Replace the values to match your directory structure. %LDAP_USER% will be replaced by the user’s input at runtime.
If your LDAP server does not allow direct binding with the user's DN, you can perform a lookup using the Search Filter and Search Base DN:
- Search Filter: For Active Directory, this might be:
· (sAMAccountName=%LDAP_USER%)
- Search Base DN: This tells APEX where to begin searching in the directory hierarchy. For example:
· ou=users,dc=company,dc=com
You can test your LDAP connection directly from this screen by clicking the Test LDAP Connection button. Enter a valid username and password from your LDAP directory to confirm the setup works.
Once the LDAP scheme is properly configured and tested, set it as the current authentication method by clicking Set as Current.
Now configure your login page. Make sure you have two items, such as P101_USERNAME and P101_PASSWORD, and a login button. Oracle APEX will automatically use the current LDAP authentication scheme to verify user credentials during login. If the LDAP server confirms the credentials, the user will be logged in, and :APP_USER will be set to the provided username.
You can also add a Post-Authentication Procedure to perform additional steps after a successful login, such as loading user roles, department information, or session variables. Example:
BEGIN
SELECT department_id INTO :P0_DEPT_ID
FROM company_users
WHERE username = :APP_USER;
END;
To further secure the application, you can define Authorization Schemes that restrict access based on group membership or role information stored in a table or fetched from LDAP.
LDAP authentication should only be used over secure connections. If you are using port 636 with SSL, confirm that your Oracle database has access to the directory server’s certificate. This ensures that all user credentials are transmitted securely.
Setting up LDAP directory verification in Oracle APEX is a powerful way to integrate your application with enterprise authentication systems. It improves security, simplifies user management, and ensures a consistent login experience across your organization’s tools and systems.
LDAP (Lightweight Directory Access Protocol) authentication enables Oracle APEX to validate user credentials against an LDAP directory, such as Active Directory (AD), Oracle Internet Directory (OID), or OpenLDAP. This allows centralized user management, improved security, and seamless authentication across multiple applications.
Before setting up LDAP authentication, ensure that:
- The LDAP directory server is accessible from the Oracle APEX environment.
- The LDAP server supports SIMPLE_BIND_S for credential verification.
- The host, port, distinguished name (DN), and optional search filter are known.
- If using SSL with authentication, an Oracle Wallet must be configured.
Steps to Set Up LDAP Directory Authentication
- Access the Authentication Schemes Page:
- Open App Builder.
- Select the target application.
- Navigate to Shared Components.
- Under Security, click Authentication Schemes.
- Create a New Authentication Scheme:
- Click Create.
- Choose Based on a pre-configured scheme from the gallery, then click Next.
- Define Authentication Details:
- Name – Enter a unique name for the authentication scheme.
- Scheme Type – Select LDAP Directory.
- Configure LDAP Server Connection Settings:
- Host – Enter the hostname or IP address of the LDAP server.
- Port – Specify the port number used for LDAP communication:
- 389 (default, non-SSL)
- 636 (SSL-secured connection)
- Use SSL – Select whether to encrypt LDAP communication using SSL/TLS:
- If SSL with Authentication is selected, an Oracle Wallet must be configured.
- Define Distinguished Name (DN) and Search Options:
- Distinguished Name (DN) String – This determines how Oracle APEX constructs the fully qualified DN string when verifying user credentials. Use %LDAP_USER% as a placeholder for the username. Examples:
- Exact DN Matching:
cn=%LDAP_USER%,l=amer,dc=yourdomain,dc=com
In this case, APEX directly binds the DN to authenticate users.
· Non-Exact DN (Search Base):
· If an exact DN is not known, specify the search base where users reside.
· A search filter is required in this case.
· Use Distinguished Name (DN) – Choose whether APEX should use an exact DN or perform a user search:
· Exact DN – Authenticate users using a predefined DN pattern.
· Non-Exact DN (Search Base) – Perform a search for the user before binding.
6. Define Username Handling and Security Options:
- LDAP Username Edit Function (Optional) – Specify a PL/SQL function to modify the username before authentication. This is useful for formatting usernames to match LDAP entries. Example:
return apex_custom_auth.ldap_dnprep(p_username => :USERNAME);
This function could replace special characters (e.g., periods with underscores) before passing the username to LDAP.
· Username Escaping – Defines how special characters in %LDAP_USER% are handled. The correct setting depends on the LDAP server configuration and whether the LDAP Username Edit Function already escapes special characters.
7. Save and Activate the Authentication Scheme:
- Click Create Authentication Scheme.
- Set this scheme as Current to activate it for the application.
Additional Notes and Considerations
- Using SSL with Authentication:
- If SSL with Authentication is selected, an Oracle Wallet must be configured for the Oracle APEX instance.
- The root certificate of the LDAP server must be imported into this wallet as a trusted certificate to establish a secure connection.
- Exact DN vs. Search-Based Authentication:
- Exact DN:
- Faster, as no additional search is needed.
- Requires a well-defined DN format for all users.
- Search-Based Authentication:
- More flexible, especially for large directories.
- Requires an appropriate search base and filter.
Benefits of LDAP Authentication in Oracle APEX
- Centralized User Management – Eliminates the need for application-specific user accounts.
- Strong Security – Supports SSL encryption and custom username validation functions.
- Single Sign-On (SSO) Compatibility – Integrates with enterprise authentication solutions.
- Flexible User Lookup – Supports both exact DN matching and search-based authentication.
By implementing LDAP authentication, Oracle APEX applications can seamlessly integrate with enterprise directory services, ensuring secure, scalable, and centrally managed user authentication.
Conclusion
Configuring LDAP directory verification in Oracle APEX provides a secure and
efficient way to connect your application to an existing directory service. By
delegating authentication to a trusted LDAP server, you reduce administrative
overhead and ensure that only authorized users gain access. This setup enhances
security, supports enterprise-wide identity management, and delivers a seamless
login experience aligned with your organization’s standards.
