go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Implementation & Security Considerations
 
Subject: Implementation & Security Considerations
Author: SteveHB
In response to: Proxy Authorization Control
Posted on: 02/26/2007 03:43:02 PM

During evaluation of a search request, an entry that would have been returned for the search (if submitted by the proxy authorization identity directly) may not be returned if the server finds that the requester does not have the right to assume the requested identity for searching the entry. This means that fewer results, or no results, may be returned than would be if the proxy authorization identity issued the request directly.

On the other hand, an authenticated user (even anonymous user) may request results which require higher privileges by passing the assumed authorization identity. Note that it is server's sole responsibility to determine if a proxy authorization request is to be honored. Usually, "anonymous" users SHOULD NOT be allowed to assume the identity of others.


 

> On 02/26/2007 03:39:03 PM SteveHB wrote:

A single Proxy Authorization Control may be included in any search,
compare, modify, add, delete, or modifyDN or
extended operation request message. The exception is any extension
that causes a change in authentication, authorization, or data
confidentiality [RFC2829], such as Start TLS [LDAPTLS] as part of the
controls field of the LDAPMessage, as defined in [RFC2251].


This control is included in the searchRequest and searchResultDone
messages as part of the controls field of the LDAPMessage, as defined
in Section 4.1.12 of [LDAPv3]. The structure of this control is as
follows:
 ProxiedAuthorizationControl ::= SEQUENCE {
    controlType     2.16.840.1.113730.3.4.18,
    criticality     BOOLEAN DEFAULT FALSE,
    controlValue    proxiedAuthorizationControlValue optional
 }

Clients MUST include the criticality flag and MUST set it to TRUE.
Servers MUST reject any request containing a Proxy Authorization
Control without a criticality flag or with the flag set to FALSE with
a protocolError error. These requirements protect clients from
submitting a request that is executed with an unintended
authorization identity.

The controlValue SHALL be present and SHALL either contain an authzId
[AUTH] representing the authorization identity for the request or be
empty if an anonymous association is to be used.
 proxiedAuthorizationControlValue ::= LDAPString

The mechanism for determining proxy access rights is specific to the
server's proxy authorization policy.

If the requested authorization identity is recognized by the server,
and the client is authorized to adopt the requested authorization
identity, the request will be executed as if submitted by the proxy
authorization identity; otherwise, the result code 123 is returned.


References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.