14.14 Proxied Authorization Control

eDirectory provides the flexibility of controlling proxied authorization through the LDAP protocol as specified in RFC 4370. The proxied authorization control allows a client to request that an operation be processed with a provided authorization identity instead of the current authorization identity associated with the connection. This feature provides a mechanism for specifying an authorization identity for each operation, which benefits the clients that need to perform several operations on behalf of multiple users.

To authenticate with the eDirectory server, an administrator must provide the proxied authorization control OID 2.16.840.1.113730.3.4.18 in the client request. To use the proxied authorization control, the authenticated user should have supervisor rights on the impersonated user.

  1. Create an eDirectory tree and add user objects to it.

  2. Log in to iManager > Roles and Tasks > Rights > Modify Trustee, and select a user.

  3. Click OK.

  4. Click Add Trustee and select another user from the list.

  5. Click Assigned Rights for the user.

  6. Select Supervisor for All Attribute Rights and Entry Rights for the user.

  7. Click Done, then click Apply.

To perform proxied authorization for ldapsearch, use the following command:

ldapsearch -x -h <SrvIP> -p <Port> -D <Admin DN> -w <Password> -e '!authzid=dn:<Impersonate user> -b o=novell -s one

To perform other LDAP operations using proxied authorization control, provide 2.16.840.1.113730.3.4.18 OID in the LDAP request.

Auditing the Proxied Authorization Operations

To audit the proxied authorization operations, eDirectory provides a new event called DSE_IMPERSONATE.