Proxy Authentication - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:

Command reference manual (372 pages)

Configuration and command reference (292 pages)

Reference (228 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

page of 164

/ 164
Contents
Table of Contents
Bookmarks

Table of Contents

For more information about certificates and SSL, see the Administrator's Guide.

8.4.4. Simple Password over SSL/TLS

When a secure connection is established between Directory Server and a client application using SSL

or the Start TLS operation, the server can demand an extra level of authentication by requesting a

password. In such cases, the password is not transmitted in plain text.

For more information about SSL, see

information about the Start TLS operation, refer to the Administrator's Guide.

8.4.5. Simple Authentication and Security Layer

A method for adding authentication support to connection-based protocols. Especially useful in

conjunction with Kerberos, allow the use of Kerberos credentials to authenticate to the directory.

8.4.6. Proxy Authentication

Proxy authentication is a special form of authentication because the user requesting access to the

directory does not bind with its own DN but with a proxy DN.

The proxy DN is an entity that has appropriate rights to perform the operation requested by the user.

When proxy rights are granted to a person or an application, they are granted the right to specify any

DN as a proxy DN, with the exception of the Directory Manager DN.

One of the main advantages of proxy right is that an LDAP application can be enabled to use a single

thread with a single bind to service multiple users making requests against the Directory Server.

Instead of having to bind and authenticate for each user, the client application binds to the Directory

Server using a proxy DN.

The proxy DN is specified in the LDAP operation submitted by the client application. For example:

/usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -D

"cn=directory manager" -w secret -p 389 -h server.example.com -Y "cn=joe,

dc=example,dc=com" -f mods.ldif

This ldapmodify command gives the manager entry (cn=Directory Manager) the permissions of

a user named Joe (cn=joe) to apply the modifications in the mods.ldif file. The manager does not

need to provide Joe's password to make this change.

NOTE

The proxy mechanism is very powerful and must be used sparingly. Proxy rights

are granted within the scope of the ACL, and there is no way to restrict who can be

impersonated by an entry that has the proxy right. That is, when a user is granted proxy

rights, that user has the ability to proxy for any user under the target; there is no way to

restrict the proxy rights to only certain users.

For example, if an entity has proxy rights to the dc=example, dc=com tree, that entity

can do anything. Therefore, ensure that the proxy ACI is set at the lowest possible level of

the DIT.

Section 8.9, "Securing Server to Server

Simple Password over SSL/TLS

Connections". For

117

Table of Contents

Proxy Authentication - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

8.4.6. Proxy Authentication

Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Table of Contents