Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition

Directory Proxy Server Configured for Proxy Authorization and the Client Request Does Contain a Proxy Authorization

Figure 19–3 shows the flow of information when the client in Figure 19–2 makes a request that does contain a proxy authorization control. Directory Proxy Server verifies that the client has the right to use its proxy authorization control.

Figure 19–4 Information Flow When Proxy Authorization Control Is Contained in the Client Request

Figure shows the flow of information when a proxy authorization
control is contained in a client request.

  1. The client sends a SEARCH request SEARCH 1, that contains a proxy authorization control. The request is targeted at LDAP server 1.

  2. Directory Proxy Server verifies that the clientDN has the right to use a proxy authorization control on LDAP server 1, by getting the effective rights of the client on LDAP server 1. For information about how to get effective rights, see Viewing Effective Rights in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

  3. Directory Proxy Server forwards the SEARCH operation to LDAP server 1, reusing connection 2.

    The SEARCH operation is performed with the authorization of the user specified in the proxy authorization control. The authorization is defined in the RW ACIs on the LDAP server.

  4. The client sends a second SEARCH request, SEARCH 2, that contains a proxy authorization control. The request is targeted at LDAP server 2.

  5. Directory Proxy Server verifies that the clientDN has the right to use a proxy authorization control on LDAP server 2, by getting the effective rights of the client on LDAP server 2.

  6. The Directory Proxy Server forwards the SEARCH operation to LDAP server 2, reusing connection 3.

    Notice that it is not necessary for the client to bind to LDAP server 2 before the request is processed, and it is not necessary for the LDAP server to contain an entry for the client.