Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
The Directory Server first evaluates the list of potential users that can be
proxied for the authenticated user based on the presence of the
ds-auth-may-*
operational attributes in the entry. These operational attributes are multi-valued and are
evaluated together if all are present in an entry: -
ds-auth-may-proxy-as. Specifies the user DNs that the associated user is allowed to proxy as. For instance, based on the previous example, you could specify in the
uid=clientApp
entry that it can proxy operations asuid=admin
anduid=agent1
.dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top ... ds-privilege-name: proxied-auth ds-auth-may-proxy-as: uid=admin,dc=example,dc=com ds-auth-may-proxy-as: uid=agent1,ou=admins,dc=example,dc=com
-
ds-auth-may-proxy-as-group. Specifies the group DNs and its group members that the associated user is allowed to proxy as. For instance, you could specify that the potential users that the
uid=clientApp
entry can proxy as are those members who are present in the group cn=Agents,ou=Groups,dc=example,dc=com. This attribute is multi-valued, so that more than one group can be specified. Nested static and dynamic groups are also supported.dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top ... ds-privilege-name: proxied-auth ds-auth-may-proxy-as-group: cn=Agents,ou=Groups,dc=example,dc=com
-
ds-auth-may-proxy-as-url. Specifies the DNs that are returned based on the criteria defined in an LDAP URL that the associated user is allowed to proxy as. For instance, the attribute specifies that the client can proxy as those entries that match the criteria in the LDAP URL. This attribute is multi-valued, so that more than one LDAP URL can be specified.
dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top ... ds-privilege-name: proxied-auth ds-auth-may-proxy-as-url: ldap:///ou=People,dc=example,dc=com??sub?(l=austin)