Proxy Authentication; Preventing Authentication By Account Inactivation - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT:

Configuration manual (314 pages)

Reference (162 pages)

Installation manual (128 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

page of 200

/ 200
Contents
Table of Contents
Bookmarks

Table of Contents

Preventing Authentication by Account Inactivation

Proxy Authentication

Proxy authentication is a special form of authentication because the user requesting

access to the directory does not bind with its own DN but with a proxy DN.

The proxy DN is an entity that has appropriate rights to perform the operation

requested by the user. When you grant proxy rights to a person or an application,

you grant the right to specify any DN as a proxy DN, with the exception of the

Directory Manager DN.

One of the main advantages of proxy right is that you can enable an LDAP

application to use a single thread with a single bind to service multiple users

making requests against the Directory Server. Instead of having to bind and

authenticate for each user, the client application binds to the Directory Server using

a proxy DN.

The proxy DN is specified in the LDAP operation submitted by the client

application. For example:

% ldapmodify -D "cn=manager" -w secretpwd -y

"cn=joe,dc=example,dc=com" -b "example.com" -f mods.ldif

This

of a user named Joe (

that the manager does not need to provide Joe's password for making this change.

NOTE

Preventing Authentication by Account Inactivation

You can temporarily inactivate a user account or a set of accounts. Once

inactivated, a user cannot bind to the directory, and the authentication operation

fails.

138

Netscape Directory Server Deployment Guide • August 2002

command gives the manager entry (

ldapmodify

cn=joe

The proxy mechanism is very powerful and must be used sparingly.

Proxy rights are granted within the scope of the ACL and there is no

way to restrict who an entry that has the proxy right can

impersonate—that is, when you grant a user proxy rights, that user

has the ability to proxy for any user under the target; there is no way

to restrict the proxy rights to only certain users. For example, if an

entity has proxy rights to the

can do anything. So, make sure you set the proxy ACI at the lowest

possible level of the DIT. For more information on this, see "Proxied

Authorization ACI Example" in Chapter 6, "Managing Access

Control" of the Netscape Directory Server Administrator's Guide.

) to apply the modifications in the

dc=example,dc=com

) the permissions

cn=manager

file. Note

mods.ldif

tree, that entity

Table of Contents

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT and is the answer not in the manual?

Proxy Authentication; Preventing Authentication By Account Inactivation - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Preventing Authentication by Account Inactivation

Proxy Authentication

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Related Content for Netscape NETSCAPE DIRECTORY SERVER 6.1 - DEPLOYMENT

Table of Contents