ACI Setting Example -- Proxy Authorization

Subject: ACI Setting Example -- Proxy Authorization
Author: aci
Posted on: 03/21/2014 12:15:07 AM

Proxy authorization allows you to connect to an LDAP server as one user but perform operations as another user. There are two types of usages:

Downgrade Proxy -- You, connected as a desk helper, want to check or verify what rights an lower-level user could have.

Upgrade Proxy -- You, connected as a user, want to hijack an higher-level service account to do some fancy operations.

Apparently, the upgrade proxy is dangerous and that is why most servers have certain proxy rules as to:

1) who can have the right to impersonate others (achieved by aci or/and privilege);

2) what target can be accessed/manipulated by the proxied user (achieved by aci)

For example,

   aci: (target="ldap:///ou=Sales,dc=example,dc=com")(targetattr="*")
        (version 3.0; acl "Who can use proxy on what"; 
        allow (proxy) userdn="ldap:///uid=*,ou=Support,dc=example,dc=com";)

The above aci specifies that:

1) Only user from "Support" department can act as proxy

2) and he or she can only access target under "Sales" department

Replies:

Step-by-step guide to set-up proxy authorization: aci 03/21/2014 12:21:58 AM
Run #1 Search Operation aci 03/21/2014 12:48:02 AM
Run #2 Modify Operation aci 03/21/2014 12:56:32 AM
OpenDJ requires privilege to act as proxy aci 11/16/2019 01:13:47 AM

References:

Next Post: Step-by-step guide to set-up proxy authorization: aci 03/21/2014 12:21:58 AM
Previous Post: Schema about attribute eLDAP 01/31/2014 08:32:14 PM
Next Topic: How to create NTLMv2 computer account? authen 05/06/2014 10:51:36 PM
Previous Topic: Schema about attribute eLDAP 01/31/2014 08:32:14 PM
Index: by Date
Index: by Topic