Proxied authorization provides a standard control as defined in RFC 4370 (and an earlier Internet-Draft) for binding with the user credentials of a proxy, who carries out LDAP operations on behalf of other users. You might use proxied authorization, for example, to have your application bind with its credentials, and then carry out operations as the users who login to the application.
Suppose you have an administrative directory client application that
has an entry in the directory with DN
cn=My App,ou=Apps,dc=example,dc=com. You can give that
application the access rights and privileges to use proxied authorization.
The default access control for OpenDJ permits authenticated users to use
the proxied authorization control.
Suppose also that when directory administrator, Kirsten Vaughan, logs
in to your application to change Babs Jensen's entry, your application looks
up Kirsten's entry, and finds that she has DN
uid=kvaughan,ou=People,dc=example,dc=com. For the example
commands in the following procedure. My App uses proxied authorization to
make a change to Babs's entry as Kirsten.
Procedure 6.1. To Set Up Proxied Authorization
-
Grant access to applications that can use proxied authorization.
$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com") (targetattr ="* ")(version 3.0; acl "Allow apps proxied auth"; allow(all, proxy )(userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");) Processing MODIFY request for dc=example,dc=com MODIFY operation successful for DN dc=example,dc=com
-
Grant the privilege to use proxied authorization to My App.
$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password dn: cn=My App,ou=Apps,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com
-
Test that My App can use proxied authorization.
$ ldapmodify --port 1389 --bindDN "cn=My App,ou=Apps,dc=example,dc=com" --bindPassword password --proxyAs "dn:uid=kvaughan,ou=People,dc=example,dc=com" dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify replace: description description: Changed through proxied auth Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
If you need to map authorization identifiers using the
u: form rather than using dn:, you can
set the identity mapper with the global configuration setting,
proxied-authorization-identity-mapper. For example, if you
get user ID values from the client, such as bjensen, you
can use the Exact Match Identity Mapper to match those to DNs based on an
attribute of the entry. Use the dsconfig command
interactively to investigate the settings you need.
