LDAP: Operations by Proxy


LDAP-compliant directory servers like the UnboundID Directory Server support the notion of allowing an authenticated connection to perform operations using the identity of another distinguished name. This is called “operation by proxy” or “Proxied Authorization”. This capability is specified in RFC 4370 (proxied auth).

Allowing a distinguished name (a directory entry or user) to perform operations using the identity of another distinguished name requires the following steps:

  • Add a privilege to the entry which will perform operations as another user
  • Add an access control to allow the proxying entry to request operations

In the following, user.0 will request operations as user.1.

Setup

Use ldapmodify to add the proxied-auth privilege to the entry which will request operations be performed under the identity of another distinguished name.

dn: user.0,ou=people,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth

Use ldapmodify to add access control instruction (ACI) which will allow user.0 to request operations be performed using the identity of another user.

dn: ou=people,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")
 (version 3.0; acl "allow proxied auth by user.0";
 allow (proxy)
 userdn="ldap:///uid=user.0,ou=people,dc=example,dc=com";)

Test

Use the ldapsearch tool to connect to the server, authenticate as user.0 and search for the distinguished name user.99 as user.1:

ldapsearch --hostname localhost \
           --port ${SSL_PORT} \
           --useSSL \
           --trustAll \
           --bindDn 'uid=user.0,ou=people,dc=example,dc=com' \
           --bindPasswordFile ${PWD_FILE} \
           --proxyAs 'dn:uid=user.0,ou=people,dc=example,dc=com' \
           --baseDn 'uid=user.99,ou=people,dc=example,dc=com' \
           --searchScope base \
           '(objectClass=*)' 1.1
dn: uid=user.99,ou=People,DC=example,DC=com

The above example uses the modern ldapsearch syntax. The legacy ldapsearch parameters are slightly different.

The access log will record:

[31/May/2012:09:27:02.880 -0500] CONNECT conn=30 from="127.0.0.1" to="127.0.0.1" protocol="LDAP+TLS" clientConnectionPolicy="default"
[31/May/2012:09:27:02.922 -0500] BIND RESULT conn=30 op=0 msgID=1 version="3"
 dn="uid=user.0,ou=people,dc=example,dc=com" authType="SIMPLE" resultCode=0 etime=0.686
 authDN="uid=user.0,ou=People,DC=example,DC=com" clientConnectionPolicy="default"
[31/May/2012:09:27:02.926 -0500] SEARCH RESULT conn=30 op=1 msgID=2
 base="uid=user.99,ou=people,dc=example,dc=com" scope=0
 filter="(objectClass=*)" attrs="1.1" resultCode=0 etime=1.132 entriesReturned=1 authzDN="uid=user.0,ou=People,DC=example,DC=com"
[31/May/2012:09:27:02.943 -0500] DISCONNECT conn=30 reason="Client Unbind"

References

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in LDAP and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s