|
|
|
When a directory backbone performs operations over DXlink, some operations on the target LDAP server may require that the user be authorized for that operation.
You can include the dsp-ldap-proxy link flag in the DXlink knowledge to cause the last DSA in the chain to use the authorization of the originating user to perform operations on the LDAP server.
Important! This may compromise security because the originating user is never authenticated by the LDAP server.
Usually, the last DSA in the chain binds to the LDAP server using the credentials specified in the ldap-dsa-name and ldap-dsa-password flags.
If the dsp-ldap-proxy flag is also set, then the DN of the user that made the initial bind is added to the following subsequent requests:
If the initial bind was anonymous, no DN is added to subsequent requests.
The proxy user is conveyed by the DSA that chains the operation over DXlink by including the originator DN of the user performing the operation in the LDAP proxy authorization control on the request. The LDAP server must permit the configured ldap-dsa-name user, the authority to proxy all users.
Note: The dsp-ldap-proxy link flag can only be used if the target LDAP server supports the LDAP Proxy Authorization control.
| Copyright © 2012 CA. All rights reserved. | Tell Technical Publications how we can improve this information |