Page created: 24 Jul 2019
|
Page updated: 6 Nov 2019
| 2 min read
7.3 Product PingDirectory
-
Open a text editor and create a user entry, such as
uid=clientApp, which is the user entry that will
request operations as another user,
uid=admin,dc=example,dc=com. The client application
entry also requires the
proxied-auth
privilege to allow it to run proxied authorization requests. Save the file as add-user.ldif.dn: ou=Applications,dc=example,dc=com objectClass: top objectClass: organizationalUnit objectClass: extensibleObject ou: Admins ou: Applications dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson givenName: Client uid: clientApp cn: Client App sn: App userPassword: password ds-privilege-name: proxied-auth
-
Add the file using ldapmodify.
$ bin/ldapmodify --defaultAdd --filename add-user.ldif
-
The client application targets a specific subtree in the Directory Information
Tree (DIT) for its operations. For example, some client may need access to an
accounts subtree to retrieve customer information. Another client may need
access to another subtree, such as a subscriber subtree. In this example, we
want the client application to target the
ou=People,dc=example,dc=com subtree. To allow the
target, open a text editor and create an LDIF file to assign an ACI to that
branch so that the client app user can access it as a proxy auth user. Note that
the ACI should be on a single line of text. The example shows the ACI over
multiple lines for readability. Add the file using the
ldapmodify.
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (version 3.0; acl "People Proxy Access"; allow(proxy) userdn="ldap:///uid=clientApp,ou=Applications,dc=example,dc=com";)
-
Run a search to test the configuration using the bind DN
uid=clientApp
and theproxyAs
option, which requires that you prefix "dn:" to the proxying entry or "u:" to the user name. Theuid=clientApp
binds to the server and proxies asuid=admin
to access the ou=People,dc=example,dc=com subtree.$ bin/ldapsearch --port 1389 \ --bindDN "uid=clientApp,ou=Applications,dc=example,dc=com" \ --bindPassword password \ --proxyAs "dn:uid=admin,dc=example,dc=com" \ --baseDN ou=People,dc=example,dc=com \ "(objectclass=*)"