Subject: Step-by-step guide to set-up proxy authorization:
Author: aci
In response to: ACI Setting Example -- Proxy Authorization
Posted on: 03/21/2014 12:21:58 AM
Step 1) Specify who can use Proxy Authorization Control {2.16.840.1.113730.3.4.18}
aci: (targetcontrol="2.16.840.1.113730.3.4.18 || 1.2.840.113556.1.4.319")
(version 3.0; acl "Authenticated users control access";
allow (read) userdn="ldap:///all";)
Here, all authenticated users can use controls.
Step 2) Specify who have the privilege to act as proxyThe privilege setting depends on what server you are using.
Step 3) Specify who can act as proxy and on what target
aci: (target="ldap:///ou=Sales,dc=example,dc=com")(targetattr="*")
(version 3.0; acl "Who can use proxy on what";
allow (proxy) userdn="ldap:///uid=*,ou=Support,dc=example,dc=com";)
aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0; acl "Developers can access all departments";
allow (all) userdn="ldap:///uid=*,ou=Develop,dc=example,dc=com";)
>
> On 03/21/2014 12:15:07 AM
aci wrote:
Proxy authorization allows you to connect to an LDAP server as one user but perform operations as another user. There are two types of usages:
Downgrade Proxy -- You, connected as a desk helper, want to check or verify what rights an lower-level user could have.
Upgrade Proxy -- You, connected as a user, want to hijack an higher-level service account to do some fancy operations.
Apparently, the upgrade proxy is dangerous and that is why most servers have certain proxy rules as to:
1) who can have the right to impersonate others (achieved by aci or/and privilege);
2) what target can be accessed/manipulated by the proxied user (achieved by aci)
For example,
aci: (target="ldap:///ou=Sales,dc=example,dc=com")(targetattr="*")
(version 3.0; acl "Who can use proxy on what";
allow (proxy) userdn="ldap:///uid=*,ou=Support,dc=example,dc=com";)
The above aci specifies that:
1) Only user from "Support" department can act as proxy
2) and he or she can only access target under "Sales" department
References:
