The proxied authorization control enables a client to perform operations as the user specified in the control value. This is similar to the ‘su’ (substitute user) function available on UNIX operating systems. To restrict the ability of a user to impersonate anyone, the trust SASL proxy feature must be set. This feature is useful for auditing changes to the DIT.
If the link flag dsa-ldap-proxy is used with DXlink, the proxied authorization control is added to operations chained to third-party LDAP servers containing the entry of the request's originator. The root DSE of the third-party LDAP server should be queried to check that it supports this control.
This control is specified in an Internet Draft on the IETF home page. The specification of its operation can change over time. Also, the name of the draft document changes as revisions are made. At the time of writing, the document name is draft-weltmann-ldapv3-proxy-13.txt.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |