| Author |
Topic: ACI Setting Example -- Proxy Authorization |
|
aci
member
offline  |
| |
| posts: |
5 |
| joined: |
03/20/2014 |
| from: |
Los Angeles, CA |
|
|
 |
|
|
| ACI Setting Example -- Proxy Authorization |
Proxy authorization allows you to connect to an LDAP server as one user but perform operations as another user. There are two types of usages:
Downgrade Proxy -- You, connected as a desk helper, want to check or verify what rights an lower-level user could have.
Upgrade Proxy -- You, connected as a user, want to hijack an higher-level service account to do some fancy operations.
Apparently, the upgrade proxy is dangerous and that is why most servers have certain proxy rules as to:
1) who can have the right to impersonate others (achieved by aci or/and privilege);
2) what target can be accessed/manipulated by the proxied user (achieved by aci)
For example,
aci: (target="ldap:///ou=Sales,dc=example,dc=com")(targetattr="*")
(version 3.0; acl "Who can use proxy on what";
allow (proxy) userdn="ldap:///uid=*,ou=Support,dc=example,dc=com";)
The above aci specifies that:
1) Only user from "Support" department can act as proxy
2) and he or she can only access target under "Sales" department
|
|
|
|
|
|
|
aci
member
offline  |
| |
| posts: |
5 |
| joined: |
03/20/2014 |
| from: |
Los Angeles, CA |
|
|
|
|
|
| Step-by-step guide to set-up proxy authorization: |
Step 1) Specify who can use Proxy Authorization Control {2.16.840.1.113730.3.4.18}
aci: (targetcontrol="2.16.840.1.113730.3.4.18 || 1.2.840.113556.1.4.319")
(version 3.0; acl "Authenticated users control access";
allow (read) userdn="ldap:///all";)
Here, all authenticated users can use controls.
Step 2) Specify who have the privilege to act as proxy
The privilege setting depends on what server you are using.
Step 3) Specify who can act as proxy and on what target
aci: (target="ldap:///ou=Sales,dc=example,dc=com")(targetattr="*")
(version 3.0; acl "Who can use proxy on what";
allow (proxy) userdn="ldap:///uid=*,ou=Support,dc=example,dc=com";)
Step 4) Specify the proxied user's right
aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
(version 3.0; acl "Developers can access all departments";
allow (all) userdn="ldap:///uid=*,ou=Develop,dc=example,dc=com";)
|
|
|
|
|
|
|
aci
member
offline |
| |
| posts: |
5 |
| joined: |
03/20/2014 |
| from: |
Los Angeles, CA |
|
|
|
|
|
| Run #1 Search Operation |
C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -b "dc=example,dc=com" "(uid=user.3)"
Nothing to return, because no aci was set to allow users from Support department to do search or read.
C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Develop,dc=example,dc=com"
-w secret -b "dc=example,dc=com" "(uid=user.3)"
dn: uid=user.3,ou=Sales,dc=example,dc=com
dn: uid=user.3,ou=Support,dc=example,dc=com
dn: uid=user.3,ou=Develop,dc=example,dc=com
Search with user from Develop department returns all (3) user accounts which have uid matching the value of 'user.3'.
C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com" -w secret -Y
"dn:uid=user.2,ou=Develop,dc=example,dc=com"
-b "dc=example,dc=com" "(uid=user.3)"
dn: uid=user.3,ou=Sales,dc=example,dc=com
Same search with the same user from Support but using proxy right of another user from Develop department returns one result. This is because the proxy rule has narrowed the target to Sales department via proxy.
|
|
|
|
|
|
|
aci
member
offline |
| |
| posts: |
5 |
| joined: |
03/20/2014 |
| from: |
Los Angeles, CA |
|
|
|
|
|
| Run #2 Modify Operation |
C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"
dn: uid=user.3,ou=Sales,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-
modifying entry uid=user.3,ou=Sales,dc=example,dc=com
^C
Succeeded(0) -- Works as expected
C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"
dn: uid=user.3,ou=Support,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-
modifying entry uid=user.3,ou=Sales,dc=example,dc=com
ldap_modify: Insufficient access
Failed: Insufficient access right(50) -- Even though "uid=user.2,ou=Develop,dc=example,dc=com" has the right to modify entry "uid=user.3,ou=Support,dc=example,dc=com", the proxy aci forbids the user to do so (the user can only touch the target which has been narrowed down to Sales department).
|
|
|
|
|
|
|
aci
member
offline |
| |
| posts: |
5 |
| joined: |
03/20/2014 |
| from: |
Los Angeles, CA |
|
|
|
|
|
| OpenDJ requires privilege to act as proxy |
Step 2) Specify who have the privilege to act as proxy
The privilege setting depends on what server you are using. For example, OpenDJ requires privilege "proxied-auth" to do so.
C:\>ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w password
dn: uid=user.1,ou=Support,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 03/21/2014 12:15:07 AM
Edit
Quote
Report
Profile
Reply