Proxied Authorization

Proxied authorization, defined in RFC 4370, provides a mechanism for binding as a proxy, and making requests on behalf of other users. For example, an application binds with its credentials, but each request is made as a user who logs in through the application.

To use proxied authorization, the proxy user must have:

  • Permission to use the LDAP Proxy Authorization Control.

    Grant access to this control using an ACI with a targetcontrol list that includes the Proxy Authorization Control OID ProxiedAuthV2 (2.16.840.1.113730.3.4.18). The ACI must grant allow(read) permission to the proxy.

    This calls for an ACI with a target scope that includes the entry of the proxy user binding to the directory.

  • Permission to proxy as the given authorization user.

    This calls for an ACI with a target scope that includes the entry of the authorization user. The ACI must grant allow(proxy) permission to the proxy.

  • The privilege to use proxied authorization.

    Add ds-privilege-name: proxied-auth to the proxy’s entry.

The following table shows whether proxied authorization allows an operation on the target.

Bind DN no access Bind DN has access

Proxy ID no access

No

No

Proxy ID has access

Yes

Yes

Resource limits do not change when the user proxies as another user. Resource limits depend on the bind DN, not the proxy authorization identity.

The following steps rely on the access settings available in the evaluation setup profile, described in Learn About the Evaluation Setup Profile, to demonstrate proxied authorization for an Example.com application. In the evaluation profile, kvaughan is a directory administrator user with access to modify bjensen's entry.

If you are using a different profile, make sure you have granted access to the bind DN user and the proxy ID user:

  1. Grant access to applications to use the Proxy Authorization control, and to use proxied authorization:

    $ ldapmodify \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=admin \
     --bindPassword password << EOF
    dn: dc=example,dc=com
    changetype: modify
    add: aci
    aci: (targetcontrol="ProxiedAuthV2")
      (version 3.0; acl "Apps can use the Proxy Authorization Control";
      allow(read) userdn="ldap:///cn=*,ou=Apps,dc=example,dc=com";)
    aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")
      (version 3.0; acl "Allow apps proxied auth";
      allow(proxy) (userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");)
    EOF

    The latter ACI allows any user whose DN matches cn=*,ou=Apps,dc=example,dc=com to proxy as any user under the ACI target of dc=example,dc=com. For example, cn=My App,ou=Apps,dc=example,dc=com can proxy as any Example.com user, but cannot proxy as the directory superuser uid=admin. The target of the ACI does not include uid=admin.

  2. Grant My App the privilege to use proxied authorization:

    $ ldapmodify \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=admin \
     --bindPassword password << EOF
    dn: cn=My App,ou=Apps,dc=example,dc=com
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: proxied-auth
    EOF

    Other applications without this privilege cannot yet use proxied authorization.

  3. Test that My App can use proxied authorization:

    $ ldapmodify \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN "cn=My App,ou=Apps,dc=example,dc=com" \
     --bindPassword password \
     --proxyAs "dn:uid=kvaughan,ou=People,dc=example,dc=com" << EOF
    dn: uid=bjensen,ou=People,dc=example,dc=com
    changetype: modify
    replace: description
    description: Changed through proxied auth
    EOF
    
    # MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com

Use an identity mapper if identifiers have the u:authzid (user ID) form rather than dn:authzid form. Specify the identity mapper with the global configuration setting, proxied-authorization-identity-mapper.

For details, see Identity Mappers.