Working with Alternate Authorization Identities - PingDirectoryProxy - PingDirectory

Page created: 6 Nov 2019 |

Page updated: 25 Mar 2020

| 2 min read

8.0 Product PingDirectory PingDirectoryProxy Product documentation Content Type Administration User task IT Administrator Administrator Audience System Administrator Software Deployment Method Configuration Capability Directory

Access control rules in an entry-balanced deployment are configured in the Directory Server backend servers and require access to the entry contents of the user issuing the request. This can introduce a possible issue when clients to the Directory Proxy Server authenticate as users whose entries are among the entry-balanced sets. If the server which is processing a request does not contain the issuing user's entry, then the access control cannot be evaluated.

For example, consider a deployment that has two entry-balancing sets, set-01 and set-02. Set-01 has entries in the range uid=0-10000, while set-02 has entries for uid=10001-20000. The client with uid=5000 binds to the Directory Proxy Server, which sends a BIND request to entry-balancing set-01. Next, the client sends a SEARCH request with filter "(uid=15000)". The Directory Proxy Server determines that uid=15000 lives on entry-balancing set-02. The Directory Proxy Server then determines that the entry for the authenticated user with uid=5000 does not exist in set-02 and that the access control handler would reject the SEARCH request issued by an unknown user.