Page created: 22 Jul 2020
|
Page updated: 1 Feb 2021
| 2 min read
8.2 Product PingDirectory Directory Capability Product documentation Content Type Administration User task IT Administrator Administrator Audience Software Deployment Method Configuration
Configuring proxied authorization requires a combination of access control instructions and
the
proxied-auth
privilege to the entry that will perform operations as
another user. Note: You cannot use the
cn=Directory Manager
root DN as a proxying DN.-
Open a text editor and create a user entry, such as uid=clientApp,
which is the user entry that will request operations as another user,
uid=admin,dc=example,dc=com. The client application entry also
requires the
proxied-auth
privilege to allow it to run proxied authorization requests. Save the file as add-user.ldif.dn: ou=Applications,dc=example,dc=com objectClass: top objectClass: organizationalUnit objectClass: extensibleObject ou: Admins ou: Applications dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson givenName: Client uid: clientApp cn: Client App sn: App userPassword: password ds-privilege-name: proxied-auth
-
Add the file using ldapmodify.
$ bin/ldapmodify --defaultAdd --filename add-user.ldif
-
The client application targets a specific subtree in the Directory Information Tree
(DIT) for its operations. For example, some client may need access to an accounts subtree
to retrieve customer information. Another client may need access to another subtree, such
as a subscriber subtree. In this example, we want the client application to target the
ou=People,dc=example,dc=com subtree. To allow the target, open a
text editor and create an LDIF file to assign an ACI to that branch so that the client app
user can access it as a proxy auth user. Note that the ACI should be on a single line of
text. The example shows the ACI over multiple lines for readability. Add the file using
the ldapmodify.
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (version 3.0; acl "People Proxy Access"; allow(proxy) userdn="ldap:///uid=clientApp,ou=Applications,dc=example,dc=com";)
-
Run a search to test the configuration using the bind DN
uid=clientApp
and theproxyAs
option, which requires that you prefix "dn:" to the proxying entry or "u:" to the user name. Theuid=clientApp
binds to the server and proxies asuid=admin
to access the ou=People,dc=example,dc=com subtree.$ bin/ldapsearch --port 1389 \ --bindDN "uid=clientApp,ou=Applications,dc=example,dc=com" \ --bindPassword password \ --proxyAs "dn:uid=admin,dc=example,dc=com" \ --baseDN ou=People,dc=example,dc=com \ "(objectclass=*)"