The Directory Server provides a set of operational attributes that restricts the proxied authorization capabilities of a client application and its proxyable target entry. When present in an entry, the Directory Server evaluates each operational attribute together to form a whitelist of potential users that can be proxied. If none of those attributes is present, then the user may potentially proxy as anyone.
The Directory Server supports a two-tier provision system that, when configured,
can restrict specific users for proxied authorization. The first tier is a set of
ds-auth-may-proxy-as-*
operational attributes on the client entry that will
bind to the server and carry out operations under the identity of another user. The second tier
is a set of ds-auth-is-proxyable-*
operational attributes on the user entry that
defines whether access is allowed, prohibited, or required by means of proxied authorization. If
allowed or required, the attributes define which client entries can proxy as the user.
uid=clientApp
, is requesting to
search the ou=People,dc=example,dc=com
branch as the user
uid=admin
, the command would look like this:
ldapsearch --bindDN uid=clientApp,dc=example,dc=com \ --bindPassword password \ --proxyAs uid=admin,dc=example,dc=com \ --baseDN ou=People,dc=example,dc=com \ "(object-class=*)
At bind, the Directory Server evaluates the list of users in the
uid=clientApp
entry based on the presence of any
ds-auth-may-proxy-as-*
attributes. In the figure below, the
uid=clientApp
entry has a ds-auth-may-proxy-as
attribute with
a value, uid=admin
, which means that the client app user may proxy only as the
uid=admin
account. Next, the server confirms that uid=admin
is
in the list of proxyable users and then evaluates the ds-auth-is-proxyable-*
attributes present in the uid=admin
entry. These attributes determine the list
of restricted users that either are allowed, prohibited, or required to proxy as the
uid=admin
entry. In this case, the uid=admin
entry has the
ds-auth-is-proxyable
attribute with a value of "required", which indicates that
the entry can only be accessed by means of proxied authorization. The uid=admin
entry also has the ds-auth-is-proxyable-by
attribute with a value of
uid=clientApp
, which indicates it can only be requested by the
uid=clientApp
entry. Once both sets of attributes have been confirmed, the
uid=clientApp
can bind to the server as the authenticated user. From this
point, the Directory Server performs ACI evaluation on the branch to determine if
the requested user has access rights to the branch. If the branch is accessible by the
uid=clientApp
entry, and then the search request is processed.