IBM Security Directory Server, Version 6.3.1

LDAP_CREATE_PROXYAUTH_CONTROL

Use the LDAP_CREATE_PROXYAUTH_CONTROL API or LDAP routine to create an LDAP control that allows a bind entity to assume a proxy identity.

Synopsis

#include ldap.h


int ldap_create_proxyauth_control(
       LDAP            *ld,
       char					*proxyDN,
       int             iscritical,
       LDAPControl     **controlp)


int ldap_proxy_dn_prefix(
       char            **proxyDN, 
       char            *parm)

Input parameters

ld
Specifies the LDAP pointer that is returned by a previous call to ldap_init(), ldap_ssl_init(), or ldap_open().
proxyDN
Specifies the DN of the entry whose identity the client assumes.
iscritical
Specifies whether the persistent search control is critical to the current operation. This parameter must be set to a non-zero value.
controlp
Pointer to a pointer of a structure that is created by this function. This control must be freed by calling ldap_control_free() function, when it is done by using the control.

Usage

This API is used to create an LDAP control that contains the proxy authorization identity. The created proxy authorization control is then included in LDAP operations to request an operation from the server.

Using the proxy authorization control mechanism, a client can bind to the LDAP directory by using its own identity. But is granted proxy authorization rights of another user to access the target directory.

When the LDAP server receives an operation with proxy authorization control, the bind DN is validated against the administrative group or the predefined proxy authorization group. This validation is to determine whether the bind DN must be granted the proxy authorization right. In other words, the bound application client must be a member of the administrative group or proxy authorization group to request a proxy authorization operation.

For a specific DN, the ldap_proxy_dn_prefix function ensures that the DN has the proxy DN prefix. The DN is passed in by using the param parameter. The value is returned by using the proxyDN parameter. If the passed in DN already has the "dn:" prefix, the parameter is copied into the return value. A new string is allocated with the "dn:" prefix if the passed in DN does not have the "dn:" prefix. The return code can be:
  • LDAP_PARAM_ERROR if the param is null
  • LDAP_NO_MEMORY if the function failed to allocate memory
  • LDAP_SUCCESS if a new proxyDN was successfully allocated
If LDAP_SUCCESS is returned, it is the responsibility of the caller to free the returned proxyDN.

Errors

LDAP_PARAM_ERROR returns if an invalid parameter was passed.

LDAP_NO_MEMORY returns if memory cannot be allocated.

LDAP_ENCODING_ERROR returns if an error occurred when you encode the control.

LDAP_UNAVAILABLE_CRITICAL_EXTENSION returns if server does not support proxy authorization and iscritical is set to a non-zero value.

See also

ldap controls, ldap_bind, ldap_search, ldap_modify, ldap_delete, ldap_add

Parent topic: API categories

Feedback