Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Creating an AD Authorization Scheme

Jared CMar 6 2025

APEX Version: 24.1.6

We are switching to using Active Directory (on premises, so no Entra) for our authentication. I figured out how to do it, mostly from this one article.

Now, however, I need to create authorization schemes. These authorization schemes would need to provide authorization based on the signed-in users department, mainly, but possibly other attributes such as AD groups, etc.

I've researched a bit online, but am having trouble finding any guides on how to implement authorization schemes specific to Active Directory. One route that seems like it could work is using the DBMS_LDAP package to query the Active Directory.

However, I'm wondering A) whether there are any easier / out-of-the-box ways, and, if not, B) what would be a recommended strategy for implementing AD authorization schemes?
This post has been answered by Jared C on Mar 7 2025
Jump to Answer

Comments

Jared C

Ok, I came across this blog and got the function implemented for our environment. It works as expected, but now, I am wondering how to set it up within Oracle APEX itself.

Specifically, if I make a call to ldap_auth in the Create Authorization Scheme dialog, how do I capture the username / password? I am mainly confused since at this point, I am trying to get an authorization at some point after authentication.

Jared C
Answer

Alright, we figured it out.

Instead of passing the password to the ldap_auth function, we made a service account that has read-only permissions to all of the users attributes. We accomplished this by doing this:

Then I put those credentials in the function, and we pass in the username (:APP_USER is available in the Create Authorization Scheme dialog) and the group we want to check whether the user is in.

Marked as Answer by Jared C · Mar 7 2025
1 - 2

Post Details

Added on Mar 6 2025
#active-directory, #ad, #authorization
2 comments
84 views