APEX_LDAP.AUTHENTICATE fails authentication for user names with high ASCII characters after upgrade to APEX 4.2.1
April 9, 2013 1 Comment
Environment: Application Express 4.2.1.00.08, Oracle Database 10.2.0.5.0, Microsoft Active Directory
Ok, this is a weird problem… We use a custom authentication function to validate and authenticate our application users against MS Active Directory. This custom function uses APEX_LDAP.AUTHENTICATE, which is actually some kind of wrapper around DBMS_LDAP.
After the upgrade from APEX 4.1.1 to 4.2.1, one of our users couldn’t log in any more. I double checked and his user name and password were correct. He could log in without any problems to the Windows domain. And he had used APEX before the upgrade, I saw that in the application logs.
It took some time to find out what the real problem was… Apparently, the user has a French character in his last name (e accent or “é”) and this caused the APEX_LDAP.AUTHENTICATE to fail and return false! When we replaced the French “é” by a low ASCII “e”, he could log in again…
I’m currently working with Oracle support on this. They must have changed something in APEX_LDAP.AUTHENTICATE that’s causing this behaviour… The strange thing is, DBMS_LDAP still works fine!! Based on feedback from Oracle support, I already tried to escape the user name using the function APEX_ESCAPE.LDAP_DN, but this didn’t help…
Below some examples.
This doesn’t work any more (it prints “not ok”):
begin if APEX_LDAP.AUTHENTICATE( p_username =>'TEST AIMÉ', p_password => 'Abcd4567', p_search_base => 'OU=Persons,OU=Users,OU=Belgium,OU=Domain Users,DC=be,DC=mydomain,DC=com', p_host => 'dc.be.mydomain.com', p_port => 389) then dbms_output.put_line('ok'); else dbms_output.put_line('not ok'); end if; end;
But this still works (it prints “User authenticated!”):
DECLARE vSession DBMS_LDAP.session; vResult PLS_INTEGER; BEGIN DBMS_LDAP.use_exception := TRUE; vSession := DBMS_LDAP.init ( hostname => 'dc.be.mydomain.com' , portnum => 389 ); vResult := DBMS_LDAP.simple_bind_s ( ld => vSession , dn => 'CN=TEST AIMÉ,OU=Persons,OU=Users,OU=Belgium,OU=Domain Users,DC=be,DC=mydomain,DC=com' , passwd => 'Abcd4567' ); DBMS_Output.put_line('User authenticated!'); vResult := DBMS_LDAP.unbind_s(vSession); END;
Weird, isn’t it??