Table of Contents
Advertisement
Preventing Authentication by Account Inactivation
Proxy Authentication
Proxy authentication is a special form of authentication because the user requesting
access to the directory does not bind with its own DN but with a proxy DN.
The proxy DN is an entity that has appropriate rights to perform the operation
requested by the user. When you grant proxy rights to a person or an application,
you grant the right to specify any DN as a proxy DN, with the exception of the
Directory Manager DN.
The proxy mechanism is very powerful. One of its main advantages is that you can
enable an LDAP application to use a single thread with a single bind to service
multiple users making requests against the Directory Server. Instead of having to
bind and authenticate for each user, the client application binds to the Directory
Server using a proxy DN.
The proxy DN is specified in the LDAP operation submitted by the client
application. For example:
% ldapmodify -D "cn=joe" -w secretpwd -y
"cn=manager,dc=example,dc=com" -b "example.com" -f mods.ldif
This
entry (
does not need to provide the password for the manager.
Preventing Authentication by Account Inactivation
You can temporarily inactivate a user account or a set of accounts. Once
inactivated, a user cannot bind to the directory, and the authentication operation
fails.
Account inactivation is implemented through the operational attribute
nsAccountLock
of
true
You use the same procedures for inactivating users and roles. However,
inactivating a role means that you inactivate all of the members of that role and not
the role entry itself. For more information about roles, refer to "About Roles," on
page 71.
128
Netscape Directory Server Deployment Guide • January 2002
command gives a user named Joe the permissions of the manager
ldapmodify
) to apply the modifications in the
cn=manager
. When an entry contains the
, the server rejects the bind.
file. Note that he
mods.ldif
attribute with a value
nsAccountLock
Advertisement
Table of Contents
