Tuesday, August 14, 2012

APEX and ACL trouble (ORA-31204)

Today, I had to resolve an issue with an APEX LDAP call, that succeeded in the developer database, but failed in test with an ORA-31204: DBMS_LDAP: PL/SQL - Invalid LDAP Session.
As this concerned 11G databases, my initial thought was: "Is an ACL defined?" On the other hand, I would have expected an error like "Access denied by ACL".
Anyway, check acl's:

column host format a30
column acl format a40
set pages 66 lines 132
select host, lower_port, upper_port, acl from dba_network_acls;

This resulted in to different lists; development had to more entries than test, and yes, test lacked an ACL where the LDAP server was mentioned. Checking the principals:

col principal for a30
select acl, principal from dba_network_acl_privileges;

This revealed APEX040100 was not in the list. The following code creates an ACL, adds the resolve privilege, and adds the LDAP server to this ACL:

dbms_network_acl_admin.create_acl (
acl => 'ldap.xml',
description => 'Allow ldap queries',
principal => 'APEX_040100',
is_grant => TRUE,
privilege => 'connect'

dbms_network_acl_admin.add_privilege (
acl => 'ldap.xml',
principal => 'APEX_040100',
is_grant => TRUE,
privilege => 'resolve'

acl => 'ldap.xml',
host => 'ldap.home.local'


After that, not only the APEX user APEX_040100 is listed as principal for the newly created ACL, also the LDAP query now succeeds.

Tuesday, July 03, 2012

Apex 4.2 just over the hill (Early Adopter)

Just missed Joels entry, but APEX 4.2 Early Adopter is available. See his post here.

Tuesday, June 19, 2012

[OSSO] W14: mod_osso is loaded logfile flooding

If your application server logging is flooded with errors as below, make sure you have any mod_osso config file defined. it does not matter if it is correct, or not used.

[Thu May 24 15:55:42 2012] [warn] [client] [ecid: 10.xxx.yyy.zzz:12492:1337867740001,2] \n
[OSSO] W14: mod_osso is loaded but OssoConfigFile does not appear to be set.\n

http-500: oracle.ias.repository.schema.SchemaException

If a Single Sign On enabled Forms server fails to perform SSO, and the client gets a http-500 error, with the stack trace below, then check your variables "oid_formsid" and "formsid_group_dn" in formsweb.cfg ($ORACLE_HOME/forms/server/formsweb.cfg)

oracle.forms.net.ConnectionException: oracle.ias.repository.schema.SchemaException:
Unable to connect to Oracle Internet Directory Server.
Please verify that the correct Oracle Internet Directory Server parameters are specified in [Oracle Home of your server]/config/ias.properties.
Make sure that the Oracle Internet Directory Server specified in OIDhost, OIDport is up and running.
Base Exception : javax.naming.NamingException: [LDAP: error code 1 - User does not exist in directory for Proxy Switch]
at oracle.forms.servlet.FormsOIDContext.getOIDContext(Unknown Source)
at oracle.forms.servlet.FormsServlet.doRequest(Unknown Source)
at oracle.forms.servlet.FormsServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

CheckRepositoryPermission connectAs

When a Single Sign On Forms environment fails to login, and the client shows the following stack, check if the forms container is correctly referenced in $ORACLE_HOME/config/jazn-data.xml.

java.lang.SecurityException: access denied (oracle.ias.repository.schemaimpl.CheckRepositoryPermission connectAs)
at oracle.security.jazn.util.JAZNSecurityManager.verifyPermission(Unknown Source)
at oracle.ias.repository.SchemaManager.connectAs(SchemaManager.java:1280)
at oracle.forms.servlet.FormsOIDContext.getOIDContext(Unknown Source)
at oracle.forms.servlet.FormsServlet.doRequest(Unknown Source)
at oracle.forms.servlet.FormsServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

Sunday, June 17, 2012

Resetting MS Windows Admin password

Of course, after all this time, I forgot the master password on the Windows Server image. Luckily, I have this bootable CDRom with password reset software. But this VMWare boots so damn quick, I can never complete the sequence Point Click to boot, CTRL-G, F2 fast enough to get into the BIOS and change the default boot options.

Luckily, you can edit the configuration file, the .vmx file. Open it, and add the following line:

bios.forceSetupOnce = "TRUE"

Now, I end up in the BIOS and can change the default boot sequence in order attempt to boot from CD first. And it works like a charm:

Resetting to an empty password works (did this once before), so I'll go for that:

And sure enough: after rebooting into the server, Administrator no longer has a password, and I'm in!

Ready to do some SSO/WNA exercises...

VMWare and Precise

After the migration to Precise Pangolin (Ubuntu 12.04 LTS), I needed VMWare Player. I do have a MS Windows Server 2000 image, and attempts to make that available under VirtualBox resulted in a non-performing image.
So, the latest and the greatest VMWare Player (4.0.4) was installed.

Alas, it complains about services it needs to recompile, and that fails.
In detail, the virtual net services fail to compile.

Luckily, I found this blog entry.
Basically, download the patch mentioned, and execute

sudo su -
tar xvf /usr/lib/vmware/modules/source/vmnet.tar -C /tmp
cd /tmp
cp /home/frank/Downloads/vmnet.diffs /tmp
patch -p0 < vmnet.diffs
cp /usr/lib/vmware/modules/source/vmnet.tar /usr/lib/vmware/modules/source/vmnet.tar.org
tar cvf /usr/lib/vmware/modules/source/vmnet.tar vmnet-only

Now, retry the compile by opening VMWare Player.

Even the networking part will now succeed and VMWare will present you a license agreement. You can now use VMWare player 4.0.4 on Precise Pangolin (12.04 LTS)

Sunday, June 03, 2012

Me like (upgraded hardware)

Me like a lot! Running two Oracle Virtual machines at the same time, on top of a minimal server install Ubuntu LTS 12.04:

After starting the SOA/BPEL services:

Got myself the latest (well, almost the latest) CPU, an Intel 2600K, and a new MoBo, with 16GB of memory.
Did the plan Ubuntu minimal install, but first of all, ended with the 12.04 (Precise pangolin?) install (for AMD64... which works!) instead of the 11 version, and then decided to add the desktop.
Of course, that resulted in the horrendous Unity-based stuff, where nothing is where it used to be. So, I had that removed, and gone back to gnome.

Yep, me like. Now, bring in some BBQ weather!

Thursday, May 03, 2012

Advanced Security Option for Free

In an attempt to make right what somewhat backfired, the Advanced Security Option is now for free (probably not always - check with your local store!):

"However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers a restricted use of these features (namely SSL and TLS) to protect themselves against vulnerability CVE-2012-1675. In other words, Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options, and added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters" 

For more info, and why you should be concerned, see this Oracle blog entry, and this CVE Warning.

Thursday, March 15, 2012

APEX_LDAP - but more

While less is more, not every APEX_LDAP fucntion is rewritten.
Thus far, the following has been done and somewhat tested - this is V0.1 (and not even that call is implemented):

create or replace package frank_ldap
-- Adjust as necessary.
c_host CONSTANT VARCHAR2 (80) := 'ora01v.home.local';
c_domain_base CONSTANT VARCHAR2 (20) := 'dc=home,dc=nl';
c_user_base CONSTANT VARCHAR2 (35) := 'cn=Users,' || c_domain_base;
c_group_base CONSTANT VARCHAR2 (35) := 'cn=Groups,' || c_domain_base;

-- after this line, no more adjustments should be neccesary

possible exceptions
general_error 31202 Raised anytime an error is encountered that does not have a specific PL/SQL exception
associated with it.
The error string contains the description of the problem in the user's language.

init_failed 31203 Raised by DBMS_LDAP.init() if there are problems.

invalid_session 31204 Raised by all functions and procedures in the DBMS_LDAP package if they are passed
an invalid session handle.

invalid_auth_method 31205 Raised by DBMS_LDAP.bind_s()if the authentication method requested is not supported.

invalid_search_scope 31206 Raised by all search functions if the scope of the search is invalid.

invalid_search_time_val 31207 Raised by DBMS_LDAP.search_st()if it is given an invalid value for a time limit.

invalid_message 31208 Raised by all functions that iterate through a result-set for getting entries
from a search operation if the message handle given to them is invalid.

count_entry_error 31209 Raised by DBMS_LDAP.count_entries if it cannot count the entries in a given result set.

get_dn_error 31210 Raised by DBMS_LDAP.get_dn if the DN of the entry it is retrieving is NULL.

invalid_entry_dn 31211 Raised by all functions that modify, add, or rename an entry if they are presented
with an invalid entry DN.

invalid_mod_array 31212 Raised by all functions that take a modification array as an argument if they are
given an invalid modification array.

invalid_mod_option 31213 Raised by DBMS_LDAP.populate_mod_array if the modification option given is anything

invalid_mod_type 31214 Raised by DBMS_LDAP.populate_mod_array if the attribute type that is being modified
is NULL.

invalid_mod_value 31215 Raised by DBMS_LDAP.populate_mod_array if the modification value parameter for a
given attribute is NULL.

invalid_rdn 31216 Raised by all functions and procedures that expect a valid RDN and are provided with
an invalid one.

invalid_newparent 31217 Raised by DBMS_LDAP.rename_s if the new parent of an entry being renamed is NULL.

invalid_deleteoldrdn 31218 Raised by DBMS_LDAP.rename_s if the deleteoldrdn parameter is invalid.

invalid_notypes 31219 Raised by DBMS_LDAP.explode_dn if the notypes parameter is invalid.

invalid_ssl_wallet_loc 31220 Raised by DBMS_LDAP.open_ssl if the wallet location is NULL but the SSL authentication
mode requires a valid wallet.

invalid_ssl_wallet_password 31221 Raised by DBMS_LDAP.open_ssl if the wallet password given is NULL.

invalid_ssl_auth_mode 31222 Raised by DBMS_LDAP.open_ssl if the SSL authentication mode is not 1, 2 or 3.

authenticate: basically, tests if a simple bind succeeds, given the credentials supplied.
Should be able to verify network connections by providing a NULL password (anonymous bind)
p_username is expected to be a DN (i.e. 'cn=name,dc=domain_component'), returns true if authenticated,
raises the appropiate exception in all other cases.
FUNCTION authenticate (p_username IN VARCHAR2, p_password IN VARCHAR2)

IsMemberOf: tests if a user is member of a given group. User and group are searched for with
scope = sub, so no DN, but is used as ldap search filter. Groups may be nested (i.e, if
user is a member of group A and group A is member of group B, and this function is called with
user and B as parameters, it will return TRUE)
Call like if (ismemberof('scott','dba_group')) then ...
FUNCTION ismemberof (p_username IN VARCHAR2, p_groupname IN VARCHAR2)

memberof: returns array of groups the provided user is member of. p_depth may have one of two possible
p_username needs not to be DN, as is used as ldap search filter
RETURN wwv_flow_global.vc_arr2;

END frank_ldap;

Body is:

create or replace package body frank_ldap wrapped
1150 625


The body used dbms_application_info to identify itself by name for debugging and tracing purposes. Feedback is appreciated, and may lead to V1.0 :)

Thursday, March 01, 2012

Free as in freedom, not as in free beer

Please support this in an endeavour to stop The Evil Umpire.

Sunday, February 12, 2012


In the search for the integration of APEX with SSO and the OID, I became somewhat disappointed by the APEX_LDAP package.
Where it clearly states "p_group_base - The base from which the search should be started." it actually does not do a search, starting from (which would be the -s sub option in the command line ldapsearch), but expects the entry to be in that branch level.
It resembles the "-s base" option of the ldapsearch command line tool.
The scope of "sub" is default, by the way.

Took me about half a day of searching to realize the command line and the APEX package behave completely different. Renders APEX_LDAP quite useless for my environment, where user entries are NOT found IN the 'cn=Users, dc=base_ldap_domain' branch, but usually one level deeper. Now I'll have to write my own LDAP packages - which I will post when I'm satified with them.

Monday, January 30, 2012

If ever you plan...

to post something on the internet about the US of A - don't.
And if you do, be sure to use plain English, or slang, that is understood by Homeland Security.
Read what could happen to you!