When a directory backbone performs operations over DXlink, some operations on the target LDAP server may require that the user be authorized for that operation.
You can include the dsp-ldap-proxy link flag in the DXlink knowledge to cause the last DSA in the chain to use the authorization of the originating user to perform operations on the LDAP server.
Important! This may compromise security because the originating user is never authenticated by the LDAP server.
Usually, the last DSA in the chain binds to the LDAP server using the credentials specified in the ldap-dsa-name and ldap-dsa-password flags.
If the dsp-ldap-proxy flag is also set, then the DN of the user that made the initial bind is added to the following subsequent requests:
If the initial bind was anonymous, no DN is added to subsequent requests.
To do this, the DSA that chains the operation over DXlink adds the originator DN to a LDAP proxy control on the request. The LDAP server must permit the entry in the LDAP DSA name the authority to proxy all users.
Note: The dsp-ldap-proxy link flag can only be used if the target LDAP server supports the LDAP Proxy Authorization control.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |