Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
Managing Global ACIs With dsconfig
Managing Access Control With Oracle Directory Services Manager
Create an Access Control Point
Create an Access Control Point Based on an Existing Access Control Point
Delete an Access Control Point
Add an ACI Based on an Existing ACI
Granting Write Access to Personal Entries
Granting Write Access Based on DNS
Granting Write Access Based on Authentication Method
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
write, selfwrite_add, and selfwrite_delete Permissions
Restricting Access to the Get Effective Rights Control
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
The proxy authorization method is a special form of authentication: a user that binds to the directory using his own identity is granted the rights of another user, through proxy authorization.
This example makes the following assumptions:
The client application's bind DN is uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com.
The targeted subtree to which the client application is requesting access is ou=Accounting,dc=example,dc=com.
An Accounting Administrator with access permissions to the ou=Accounting,dc=example,dc=com subtree exists in the directory.
For the client application to gain access to the Accounting subtree (using the same access permissions as the Accounting Administrator), the application requires the following rights and controls:
The Accounting Administrator must have access permissions to the ou=Accounting,dc=example,dc=com subtree. The following ACI grants all rights to the Accounting Administrator entry:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*") (version 3.0; acl "allow All-AcctAdmin"; allow (all) userdn="ldap:///uid=AcctAdministrator,ou=Administrators, dc=example,dc=com";)
The client application must have proxy rights. The following ACI grants proxy rights to the client application:
aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*") (version 3.0; acl "allow proxy- accounting software"; allow (proxy) userdn= "ldap:///uid=MoneyWizAcctSoftware,ou=Applications, dc=example,dc=com";)
The client application must be allowed to use the proxy authorization control. The following ACI allows the client application to use the proxy authorization control:
aci: (targetcontrol = "2.16.840.1.113730.3.4.18") (version 3.0; acl "allow proxy auth - accounting software"; allow (all) userdn="ldap:///uid=MoneyWizAcctSoftware,ou=Applications, dc=example,dc=com";)
With these ACIs in place, the MoneyWizAcctSoftware client application can bind to the directory and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the proxy DN.
In the previous example, if the client wanted to perform an ldapsearch command, the command would include the following controls:
$ ldapsearch -D "uid=MoneyWizAcctSoftware,ou=Applications,dc=example,dc=com" \ -w password -Y "dn:uid=AcctAdministrator,ou=Administrators,dc=example,dc=com" \ -b "ou=Accounting,dc=example,dc=com" "objectclass=*"\ ...
The base of the search must match the target of the ACIs. The client binds as itself but is granted the privileges of the proxy entry. The client does not need the password of the proxy entry.
For more information, see To Search Using the Proxied Authorization Control.