Authentication Identity
LDAP name services could be configured to use one of two possible identities for authenticating clients to the directory: anonymous, and proxy agent.
-
Authentication is all about establishing identity, and anonymous is considered a special case of identity. Obviously anonymous does not provide any level of security and means that all unauthenticated connections to the directory will be able to browse and read all Network Information records (including password and shadow information). However even with the absence of security it might be an appropriate choice for some installations and it is allowed.
-
In case of proxy agent identity, the client authenticates to the directory using a proxy account in the directory. This proxy account can be any entry that is allowed to bind to the directory (in the iPlanet Directory Server, this translates to any entry which has a userPassword attribute).
Access control to parts of the information in the directory can be achieved by setting appropriate ACI's restricting or granting various rights based on the proxy's identity. Furthermore, since there is no relationship between the number of proxy agents and clients, you can have any combination of the two. For example, in one extreme a deployment could have one proxy agent for all its clients and grant the proxy read access to all parts of the DIT that contain naming information. On the other hand one could setup a server where each client authenticates using a different proxy agent and can set the ACI to restrict access per client. These examples demonstrate two extreme cases of using proxy agents; however, a typical deployment lies somewhere in between the two extremes. The granularity level of this is a choice for the directory architect, and must be considered carefully. Too few proxy agents might limit the ability of the system administrator to control access to resources, but too many agents complicates the setup and maintenance of the system as it would require a large number of profiles as well.
Note –Because client configuration is stored in profiles, there is a direct relationship between the number of proxies used and profiles that need to be defined.
- © 2010, Oracle Corporation and/or its affiliates