PingDirectory

Restricting proxied authorization for specific users

Use the following example scenario with proxied users to restrict proxied authorization.

About this task

To illustrate how the proxied authorization operational attributes work, set up a simple example where two LDAP clients, uid=clientApp1 and uid=clientApp2, can freely proxy two administrator accounts, uid=admin1 and uid=admin2. Add the ds-auth-may-proxy-as-* and ds-auth-is-proxyable-* attributes to these entries to restrict how each account can use proxied authorization.

For example, the two client applications can continue to proxy the uid=admin1 account but the uid=admin2 account are no longer able to be used as a proxied entry.

A flowchart showing an example configuration of restricting proxied authorization for specific users. In the first configuration, both client apps can proxy as either of the admins to perform operations. In the second configuration, both client apps must proxy as the first admin to perform operations.
Proxy Users Example Scenario

Steps

  1. Set up two user entries, uid=clientApp1 and uid=clientApp2, with the proxied-auth privilege assigned to them.

    The user entries will proxy as the uid=admin1 and uid=admin2 accounts to access the ou=People,dc=example,dc=com subtree.

    1. Open a text editor and create an LDIF file.

    2. Add the file using the ldapmodify tool.

      Example:

      In this example, indicates that other attributes present in the entry are not included for readability purposes.

      		 
      dn: uid=clientApp1,ou=Applications,dc=example,dc=com
objectClass: top
...
ds-privilege-name: proxied-auth

dn: uid=clientApp2,ou=Applications,dc=example,dc=com
objectClass: top
...
ds-privilege-name: proxied-auth

  2. Assign the access control instruction (ACI) for each client application to the subtree, ou=People,dc=example,dc=com.

    ACIs should be on one line of text. The following example displays ACIs over multiple lines for readability.

    Example:

    dn: ou=People,dc=example,dc=com
aci: (version 3.0; acl "People Proxy Access"; allow(proxy)
       userdn="ldap:///uid=clientApp1,ou=Applications,dc=example,dc=com";)
aci: (version 3.0; acl "People Proxy Access"; allow(proxy)
       userdn="ldap:///uid=clientApp2,ou=Applications,dc=example,dc=com";)

  3. Run a search for each entry.

    Example:

    In this example, assume that there are two admin accounts, admin1 and admin2, that have full access rights to user attributes. You should be able to proxy as the uid=admin1 and uid=admin2 entries to access the subtree for both clients.

    $ bin/ldapsearch --port 1389 \
  --bindDN "uid=clientApp1,ou=Applications,dc=example,dc=com" \
  --bindPassword password \
  --proxyAs "dn:uid=admin1,dc=example,dc=com" \
  --baseDN ou=People,dc=example,dc=com \
  "(objectclass=*)"

$ bin/ldapsearch --port 1389 \
  --bindDN "uid=clientApp2,ou=Applications,dc=example,dc=com" \
  --bindPassword password \
  --proxyAs "dn:uid=admin2,dc=example,dc=com" \
  --baseDN ou=People,dc=example,dc=com \
  "(objectclass=*)"

  4. Limit the proxied authorization capabilities for each client application.

    In the following example, the ds-auth-may-proxy-as attribute specifies that uid=clientApp1 can proxy as the uid=admin1 entry.

    1. Open a text editor and create the following LDIF file.

    2. Update the uid=clientApp1 entry to add the ds-auth-may-proxy-as attribute.

      ds-auth-may-proxy-as is multi-valued.

    3. Save the file and add it using ldapmodify.

      Example:

      dn: uid=clientApp1,ou=Applications,dc=example,dc=com
changetype: modify
add: ds-auth-may-proxy-as
ds-auth-may-proxy-as: uid=admin1,dc=example,dc=com

  5. Repeat the previous step for the uid=clientApp2 entry, but specify the ds-auth-may-proxy-as-url attribute.

    The client entry can proxy as any distinguished name (DN) that matches the LDAP URL.

    Example:

    dn: uid=clientApp2,ou=Applications,dc=example,dc=com
changetype: modify
add: ds-auth-may-proxy-as-url
ds-auth-may-proxy-as-url: ldap:///dc=example,dc=com??sub?(uid=admin*)

  6. To illustrate the ds-auth-proxyable-by-group attribute, create a group of client applications that has uid=clientApp1 and uid=clientApp2 as its uniquemembers.

    Example:

    This example sets up a static group using the groupOfUniqueNames object class.

    dn: ou=Groups,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: groups

dn: cn=Client Applications,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Client Applications
ou: groups
uniquemember: uid=clientApp1,ou=Applications,dc=example,dc=com
uniquemember: uid=clientApp2,ou=Applications,dc=example,dc=com

  7. Update the uid=admin1 entry to provide the DN that it can be proxied as.

    1. Open a text editor and create the following LDIF file.

    2. Use the ds-auth-is-proxyable to make the uid=admin1 a required proxyable entry, meaning that it can only be accessed by some form of proxied authorization.

    3. Use the ds-auth-is-proxyable-by attribute to specify each DN that can proxy as uid=admin1.

    4. Save the LDIF file and add it using ldapmodify.

      Example:

      dn: uid=admin1,dc=example,dc=com
changetype: modify
add: ds-auth-is-proxyable
ds-auth-is-proxyable: required
-
add: ds-auth-is-proxyable-by
ds-auth-is-proxyable-by: ou=clientApp1,ou=Applications,dc=example,dc=com
ds-auth-is-proxyable-by: ou=clientApp2,ou=Applications,dc=example,dc=com
-
add: ds-auth-is-proxyable-by-group
ds-auth-is-proxyable-by-group: cn=Client Applications,ou=Groups,dc=example,dc=com
-
add: ds-auth-is-proxyable-by-url
ds-auth-is-proxyable-by-url: ldap:///ou=Applications,dc=example,dc=com??sub?(uid=clientApp*)

      The example includes all three types of ds-auth-is-proxable-by-* attributes as an illustration, but only one type of attribute is necessary if they all target the same entries.

  8. Prohibit proxying for the uid=admin2 entry.

    1. Open a text editor and create the following LDIF file.

    2. Set the ds-auth-is-proxyable attribute to prohibited.

    3. Save the LDIF file and add it using ldapmodify.

      Example:

      dn: uid=admin2,dc=example,dc=com
changetype: modify
add: ds-auth-is-proxyable
ds-auth-is-proxyable: prohibited

  9. Run a search using the proxied account.

    1. To return a successful operation, run a search with uid=clientApp1 or uid=clientApp2 that proxies as uid=admin1.

    2. To return an unsuccessful operation, run a search for uid=clientApp1 that proxies as uid=admin2.

      Example:

      $ bin/ldapsearch --port 1389 \
  --bindDN "uid=clientApp1,ou=Applications,dc=example,dc=com" \
  --bindPassword password \
  --proxyAs "dn:uid=admin2,dc=example,dc=com" \
  --baseDN ou=People,dc=example,dc=com \
  "(objectclass=*)"

      Result:

      The operation is unsuccessful because uid=admin2 does not match the list of potential entries that can be proxied. The ds-auth-may-proxy-as-* attributes specify that the client can only proxy as uid=admin1.

      One of the operational attributes (ds-auth-may-proxy-as,
ds-auth-may-proxy-as-group, ds-auth-may-proxy-as-url) in user entry
'uid=clientApp1,ou=Applications,dc=example,dc=com' does not allow
that user to be proxied as user 'uid=admin2,dc=example,dc=com'

Result Code: 123 (Authorization Denied)

Diagnostic Message: One of the operational attributes (ds-auth-may-proxy-as,
ds-auth-may-proxy-as-group, ds-auth-may-proxy-as-url) in user entry
'uid=clientApp1,ou=Applications,dc=example,dc=com' does not allow that
user to be proxied as user 'uid=admin2,dc=example,dc=com'

  10. Run another search using uid=clientApp2, which attempts to proxy as uid=admin2.

    Example:

    $ bin/ldapsearch --port 1389 \
  --bindDN "uid=clientApp2,ou=Applications,dc=example,dc=com" \
  --bindPassword password \
  --proxyAs "dn:uid=admin2,dc=example,dc=com" \
  --baseDN ou=People,dc=example,dc=com \
  "(objectclass=*)"

    Result:

    The operation is unsuccessful because the ds-auth-is-proxyable:prohibited operational attribute states that uid=admin2 is not available for proxied authorization.

    The 'ds-auth-is-proxyable' operational attribute
in user entry 'uid=admin2,dc=example,dc=com' indicates that
user may not be accessed via proxied authorization

Result Code: 123 (Authorization Denied)

Diagnostic Message: The 'ds-auth-is-proxyable' operational
attribute in user entry 'uid=admin2,dc=example,dc=com' indicates
that user may not be accessed via proxied authorization