Proxy authorization group

Edit online

The proxy authorization is a special form of authentication. By using the proxy authorization mechanism, a client application can bind to the directory with its own identity but is allowed to perform operations on behalf of another user to access the target directory.

A set of trusted applications or users can access the Directory Server on behalf of multiple users.

Note: Proxy authorization is different from the Proxy Server.

The members in the proxy authorization group can assume any authenticated identities except for the administrator or members of the local or global administrative groups. Members of the proxy authorization group also have the authority to use the group authorization control.

Note: The administrator and members of the local administrative group have the authority to assume the identity of a global administrator group member by sending a group authorization control for the global administrator group.

The proxy authorization group is stored under either localhost or IBMpolicies.

A proxy authorization group under IBMpolicies is replicated. A proxy authorization group under localhost is not. You can store the proxy authorization group under both localhost and IBMpolicies. If the proxy group is not stored under one of these DNs, the server ignores the proxy part of the group and treats it as a normal group.

As an example, a client application, client1, can bind to the Directory Server with a high level of access permissions. UserA with limited permissions sends a request to the client application. If the client is a member of the proxy authorization group, instead of passing the request to the Directory Server as client1, it can pass the request as UserA using the more limited level of permissions. What this means is that instead of performing the request as client1, the application server can access only that information or perform only those actions that UserA is able to access or perform. It performs the request on behalf of or as a proxy for UserA.

Note: The attribute member must have its value in the form of a DN. Otherwise an

Invalid DN
syntax

message is returned. A group DN is not permitted to be a member of the proxy authorization group.

Administrators and administrative group members are not permitted to be members of the proxy authorization group. All administrators have the authority to use the proxy authorization control, without being part of that group.

The audit log records both the bind DN and the proxy DN for each action performed using proxy authorization.

Although the proxy authorization group can be managed by the Web Administration Tool, proxy authorization is not recognized by any of the other Web Administration Tool functions. The proxy authorization function is utilized by including the Proxy Authorization Control with your LDAP operations or using the LDAP commands with the -y option. For example:

idsldapsearch -D "cn=client1,ou=austin,o=sample" -w <client1password> 
-y "cn=userA,o=sample" -b "o=sample" -s sub ou=austin

Based on the above idsldap search specification, client1 can read from the target directories whatever userA has permission to read.