Proxy Authorization (Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition)

Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition

Proxy Authorization

Proxy authorization allows requests from clients to be processed with a proxy identity instead of the identity of the client. A client, binding with its own identity is granted, through proxy authorization, the rights of a proxy user. The Access Control Instructions (ACIs) of the proxy user, not the ACIs of the client, are evaluated to allow or deny the operation.

Before performing an operation with proxy authorization, the account of the proxy user is validated. If the proxy user account is locked out, inactivated, if the password has been reset or has expired the client operation is aborted.

By using proxy authorization, an LDAP application can use a single bind to service multiple users who are making requests against Directory Server. Instead of having to bind and authenticate for each user, the client application binds to Directory Server and uses proxy rights.

The following conditions must be satisfied in order to use proxy authorization:

The Directory Server must be configured with appropriate ACIs for the proxy identity.

For example, the following ACI gives the administrator the ALL access right:
aci: (targetattr="*") (version 3.0; acl "allowAll-Admin"; allow (all) userdn="ldap:///uid=Administrator, ou=Administrators, dc=example,dc=com";)
The Directory Server must be configured with permission for proxy identity to act as the proxy for other users.

For example, the following ACI gives the administrator the right to act as the proxy for the user ClientApplication:
aci: (targetattr="*") (version 3.0; acl "allowproxy- accountingsoftware"; allow (proxy) userdn= "ldap:///dn:uid=ClientApplication,ou=Applications, dc=example,dc=com";)

The following sample shows the user ClientApplication performing a search operation by using the Administrator proxy identity:

$ ldapsearch \
-D "uid=ClientApplication,ou=Applications,dc=example,dc=com" \
-w password \
-y "uid=Administrator,ou=Administrators,dc=example,dc=com" ...

Note that the client binds as itself, but is granted the privileges of the proxy entry. The client does not need the password of the proxy entry.

Proxy rights can be granted to any user except the Directory Manager.

For information about how to configure proxy authorization, see Proxy Authorization in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition.