Configuring proxied authorization
About this task
Configuring proxied authorization requires a combination of access control instructions (ACIs) and the proxied-auth
privilege to the entry that will perform operations as another user.
You cannot use the |
Unless your use case requires proxying root users and administrators, consider restricting proxy users as described in Restricting proxy users. |
Steps
-
Open a text editor and create a user entry that will request operations as another user. Include the
proxied-auth
privilege. Save the file asadd-user.ldif
.Example:
In this example, the user entry
uid=clientApp
will request operations asuid=admin,dc=example,dc=com
.dn: ou=Applications,dc=example,dc=com objectClass: top objectClass: organizationalUnit objectClass: extensibleObject ou: Admins ou: Applications dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson givenName: Client uid: clientApp cn: Client App sn: App userPassword: password ds-privilege-name: proxied-auth
-
Add the file using
ldapmodify
.Example:
$ bin/ldapmodify --defaultAdd --filename add-user.ldif
-
To allow the target, open a text editor and create an LDIF file to assign an ACI to that branch so that the client app user can access it as a proxy auth user. Add the file using the
ldapmodify
.The client application targets a specific subtree in the Directory Information Tree (DIT) for its operations. For example, a client might need access to an accounts subtree to retrieve customer information while another client might need access to another subtree, such as a subscriber subtree.
Example:
In this example, the client application targets the
ou=People,dc=example,dc=com
subtree.The ACI should be on a single line of text. The example shows the ACI over multiple lines for readability.
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (version 3.0; acl "People Proxy Access"; allow(proxy) userdn="ldap:///uid=clientApp,ou=Applications,dc=example,dc=com";)
-
Run a search to test the configuration using the bind DN
uid=clientApp
and theproxyAs
option.Prefix
dn:
to the proxying entry oru:
to the user name.Example:
The
uid=clientApp
binds to the server and proxies asuid=admin
to access theou=People,dc=example,dc=com
subtree.$ bin/ldapsearch --port 1389 \ --bindDN "uid=clientApp,ou=Applications,dc=example,dc=com" \ --bindPassword password \ --proxyAs "dn:uid=admin,dc=example,dc=com" \ --baseDN ou=People,dc=example,dc=com \ "(objectclass=*)"