Proxied authorization
Proxied authorization, defined in RFC 4370, provides a mechanism for binding as a proxy, and making requests on behalf of other users. For example, an application binds with its credentials, but each request is made as a user who logs in through the application.
To use proxied authorization, the proxy user must have:
-
Permission to use the LDAP Proxy Authorization Control.
Grant access to this control using an ACI with a
targetcontrol
list that includes the Proxy Authorization Control OIDProxiedAuthV2
(2.16.840.1.113730.3.4.18
). The ACI must grantallow(read)
permission to the proxy.This calls for an ACI with a target scope that includes the entry of the proxy user binding to the directory.
-
Permission to proxy as the given authorization user.
This calls for an ACI with a target scope that includes the entry of the authorization user. The ACI must grant
allow(proxy)
permission to the proxy. -
The privilege to use proxied authorization.
Add
ds-privilege-name: proxied-auth
to the proxy’s entry.
The following table shows whether proxied authorization allows an operation on the target.
Bind DN no access | Bind DN has access | |
---|---|---|
Proxy ID no access |
No |
No |
Proxy ID has access |
Yes |
Yes |
The following steps rely on the access settings available in the evaluation setup profile,
described in Learn about the evaluation setup profile,
to demonstrate proxied authorization for an Example.com application.
In the evaluation profile, kvaughan
is a directory administrator user with access to modify bjensen
's entry.
If you are using a different profile, make sure you have granted access to the bind DN user and the proxy ID user:
-
Grant access to applications to use the Proxy Authorization control, and to use proxied authorization:
$ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: dc=example,dc=com changetype: modify add: aci aci: (targetcontrol="ProxiedAuthV2") (version 3.0; acl "Apps can use the Proxy Authorization Control"; allow(read) userdn="ldap:///cn=*,ou=Apps,dc=example,dc=com";) aci: (target="ldap:///dc=example,dc=com") (targetattr ="*") (version 3.0; acl "Allow apps proxied auth"; allow(proxy) (userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");) EOF
The latter ACI allows any user whose DN matches
cn=*,ou=Apps,dc=example,dc=com
to proxy as any user under the ACI target ofdc=example,dc=com
. For example,cn=My App,ou=Apps,dc=example,dc=com
can proxy as any Example.com user, but cannot proxy as the directory superuseruid=admin
. The target of the ACI does not includeuid=admin
. -
Grant My App the privilege to use proxied authorization:
$ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: cn=My App,ou=Apps,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth EOF
Other applications without this privilege cannot yet use proxied authorization.
-
Test that My App can use proxied authorization:
$ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN "cn=My App,ou=Apps,dc=example,dc=com" \ --bindPassword password \ --proxyAs "dn:uid=kvaughan,ou=People,dc=example,dc=com" << EOF dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify replace: description description: Changed through proxied auth EOF # MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
Use an identity mapper if identifiers have the u:authzid
(user ID) form rather than dn:authzid
form.
Specify the identity mapper with the global configuration setting,
proxied-authorization-identity-mapper
.
For details, see Identity mappers.