PingDirectory

Configuring proxied authorization

About this task

Configuring proxied authorization requires a combination of access control instructions (ACIs) and the proxied-auth privilege to the entry that will perform operations as another user.

You cannot use the cn=Directory Manager root DN as a proxying DN.

Unless your use case requires proxying root users and administrators, consider restricting proxy users as described in Restricting proxy users.

Steps

  1. Open a text editor and create a user entry that will request operations as another user. Include the proxied-auth privilege. Save the file as add-user.ldif.

    Example:

    In this example, the user entry uid=clientApp will request operations as uid=admin,dc=example,dc=com.

    dn: ou=Applications,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
objectClass: extensibleObject
ou: Admins
ou: Applications

dn: uid=clientApp,ou=Applications,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: Client
uid: clientApp
cn: Client App
sn: App
userPassword: password
ds-privilege-name: proxied-auth

  2. Add the file using ldapmodify.

    Example:

    $ bin/ldapmodify --defaultAdd --filename add-user.ldif

  3. To allow the target, open a text editor and create an LDIF file to assign an ACI to that branch so that the client app user can access it as a proxy auth user. Add the file using theldapmodify.

    The client application targets a specific subtree in the Directory Information Tree (DIT) for its operations. For example, a client might need access to an accounts subtree to retrieve customer information while another client might need access to another subtree, such as a subscriber subtree.

    Example:

    In this example, the client application targets the ou=People,dc=example,dc=com subtree.

    The ACI should be on a single line of text. The example shows the ACI over multiple lines for readability.

    		 
    dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci:  (version 3.0; acl "People Proxy Access"; allow(proxy)
  userdn="ldap:///uid=clientApp,ou=Applications,dc=example,dc=com";)

  4. Run a search to test the configuration using the bind DN uid=clientApp and the proxyAs option.

    Prefix dn: to the proxying entry or u: to the user name.

    Example:

    The uid=clientApp binds to the server and proxies as uid=admin to access the ou=People,dc=example,dc=com subtree.

    $ bin/ldapsearch --port 1389 \
  --bindDN "uid=clientApp,ou=Applications,dc=example,dc=com" \
  --bindPassword password \
  --proxyAs "dn:uid=admin,dc=example,dc=com" \
  --baseDN ou=People,dc=example,dc=com \
  "(objectclass=*)"