go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Proxy Authorization Control
 
Subject: Proxy Authorization Control
Author: SteveHB
In response to: LDAP Proxied Authorization Control -- RFC 4370
Posted on: 02/26/2007 03:39:03 PM

A single Proxy Authorization Control may be included in any search,
compare, modify, add, delete, or modifyDN or
extended operation request message. The exception is any extension
that causes a change in authentication, authorization, or data
confidentiality [RFC2829], such as Start TLS [LDAPTLS] as part of the
controls field of the LDAPMessage, as defined in [RFC2251].


This control is included in the searchRequest and searchResultDone
messages as part of the controls field of the LDAPMessage, as defined
in Section 4.1.12 of [LDAPv3]. The structure of this control is as
follows:

 ProxiedAuthorizationControl ::= SEQUENCE {
    controlType     2.16.840.1.113730.3.4.18,
    criticality     BOOLEAN DEFAULT FALSE,
    controlValue    proxiedAuthorizationControlValue optional
 }

Clients MUST include the criticality flag and MUST set it to TRUE.
Servers MUST reject any request containing a Proxy Authorization
Control without a criticality flag or with the flag set to FALSE with
a protocolError error. These requirements protect clients from
submitting a request that is executed with an unintended
authorization identity.

The controlValue SHALL be present and SHALL either contain an authzId
[AUTH] representing the authorization identity for the request or be
empty if an anonymous association is to be used.
 proxiedAuthorizationControlValue ::= LDAPString

The mechanism for determining proxy access rights is specific to the
server's proxy authorization policy.

If the requested authorization identity is recognized by the server,
and the client is authorized to adopt the requested authorization
identity, the request will be executed as if submitted by the proxy
authorization identity; otherwise, the result code 123 is returned.


 

> On 02/26/2007 03:37:48 PM SteveHB wrote:

http://www.ietf.org/rfc/rfc4370

The Proxy Authorization Control allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection.


References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.