JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1)
search filter icon
search icon

Document Information


1.  Starting and Stopping the Server

2.  Configuring the Server Instance

3.  Configuring the Proxy Components

4.  Configuring Security Between Clients and Servers

5.  Configuring Security Between the Proxy and the Data Source

6.  Managing Oracle Unified Directory With Oracle Directory Services Manager

7.  Managing Directory Data

8.  Replicating Directory Data

9.  Controlling Access To Data

Managing Global ACIs With dsconfig

Default Global ACIs

To Display the Global ACIs

To Delete a Global ACI

To Add a Global ACI

Managing ACIs With ldapmodify

To View ACI Attribute Values

To Add an ACI

To Remove an ACI

Managing Access Control With Oracle Directory Services Manager

Display the Configured ACIs

Create an Access Control Point

Create an Access Control Point Based on an Existing Access Control Point

Delete an Access Control Point

Add an ACI

Add an ACI Based on an Existing ACI

Modify an ACI

Access Control Usage Examples

Disabling Anonymous Access

Granting Write Access to Personal Entries

Granting Write Access Based on DNS

Granting Write Access Based on Authentication Method

Granting a Group Full Access to a Suffix

Granting Rights to Add and Delete Group Entries

Creating a "Create Group" ACI

Creating a "Delete Group" ACI

Allowing Users to Add or Remove Themselves From a Group

Granting Conditional Access to a Group

Denying Access

Defining Permissions for DNs That Contain a Comma

Proxy Authorization ACIs

Viewing Effective Rights

The Get Effective Rights Control

Using the Get Effective Rights Control

Understanding Effective Rights Results

Rights Information

write, selfwrite_add, and selfwrite_delete Permissions

Logging Information

Restricting Access to the Get Effective Rights Control

10.  Managing Users and Groups With dsconfig

11.  Managing Password Policies

12.  Managing Directory Schema

13.  Monitoring Oracle Unified Directory

14.  Tuning Performance

15.  Advanced Administration

Proxy Authorization ACIs

The proxy authorization method is a special form of authentication: a user that binds to the directory using his own identity is granted the rights of another user, through proxy authorization.

This example makes the following assumptions:

For the client application to gain access to the Accounting subtree (using the same access permissions as the Accounting Administrator), the application requires the following rights and controls:

With these ACIs in place, the MoneyWizAcctSoftware client application can bind to the directory and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the proxy DN.

In the previous example, if the client wanted to perform an ldapsearch command, the command would include the following controls:

$ ldapsearch -D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com" \
  -w password -Y "dn:uid=AcctAdministrator,ou=Administrators,dc=example,dc=com" \
  -b "ou=Accounting,dc=example,dc=com"  "objectclass=*"\

The base of the search must match the target of the ACIs. The client binds as itself but is granted the privileges of the proxy entry. The client does not need the password of the proxy entry.

For more information, see To Search Using the Proxied Authorization Control.