The PingDirectory server supports the Proxied Authorization Control (RFC 4370) to allow an authorized LDAP client to authenticate to the server as another user.
Typically, LDAP servers are deployed as backend authentication systems that store user credentials and authorization privileges necessary to carry out an operation. Single sign-on (SSO) systems can retrieve user credentials from the PingDirectory server and then issue permissions that allow the LDAP client to request operations under the identity as another user. The proxied authorization control allows client applications to securely process requests without binding or re-authenticating to the server for every operation.
The PingDirectory server supports the proxied authorization
v1 and v2 request controls. The proxied authorization v1 request control is based on early
versions of the draft-weltman-ldapv3-proxy
Internet draft and is available
primarily for legacy systems. You should use the proxied authorization v2 request control
based on RFC 4370.
The proxied authorization v2 control requests that the associated operation is performed as
if it had been requested by another user. You can use this control in conjunction with add,
delete, compare, extended, modify, modify DN, and search requests. In such case, the
associated operation processes under the authority of the specified authorization identity
rather than the identity associated with the client connection, such as the user as whom
that connection is bound. Specify the target authorization identity for this control as an
authzid
value, either with dn:
, followed by the
distinguished name of the target user or u:
, followed by the user
name.
Because of the security risks when using the proxied authorization control, most
directory servers enforce strict restrictions on users that can request this control. If
a user attempts to use the proxied authorization v2 request control without the
sufficient permission, the server returns a failure response with the
AUTHORIZATION_DENIED
result code.