| |
OpenDJ requires privilege to act as proxy |
|
|
Subject: OpenDJ requires privilege to act as proxy
Author: aci
In response to: Run #2 Modify Operation
Posted on: 11/16/2019 01:13:47 AM
Step 2) Specify who have the privilege to act as proxy
The privilege setting depends on what server you are using. For example, OpenDJ requires privilege "proxied-auth" to do so.
C:\>ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w password
dn: uid=user.1,ou=Support,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth
>
> On 03/21/2014 12:56:32 AM aci wrote:
C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"
dn: uid=user.3,ou=Sales,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-
modifying entry uid=user.3,ou=Sales,dc=example,dc=com
^C
Succeeded(0) -- Works as expected
C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"
dn: uid=user.3,ou=Support,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-
modifying entry uid=user.3,ou=Sales,dc=example,dc=com
ldap_modify: Insufficient access
Failed: Insufficient access right(50) -- Even though "uid=user.2,ou=Develop,dc=example,dc=com" has the right to modify entry "uid=user.3,ou=Support,dc=example,dc=com", the proxy aci forbids the user to do so (the user can only touch the target which has been narrowed down to Sales department).
References:
|
|
|
|
