OpenDJ: Proxy auth

OpenDJ Community Logo The question of doing proxy authorization came up on the OpenDJ mailing list. Proxy authorization lets you connect to a directory server as one user, yet then perform operations as another user. You might, for example, have an application that connects as cn=My App, but then uses uid=kvaughan when performing an operation. There are two versions of proxy auth, with the latest being defined by RFC 4370. That RFC identifies the proxied authorization control OID, 2.16.840.1.113730.3.4.18.

Proxy auth relies on both OpenDJ privileges and also access control, so you need to set both to allow proxy auth to work. Privileges and access control are addressed in the same Admin Guide chapter.

For example, suppose you have an application with DN cn=My App,ou=Apps,dc=example,dc=com that should be allowed to use the proxy auth control.  My App will use the control when directory admin Kirsten Vaughan connects through My App to update the description on Babs Jensen’s entry. In order for this to work, My App needs access to use the proxy auth control in requests, needs the privilege to use proxy auth, and also needs access to use proxy auth on the data affected.

For access to use the proxy auth control, by default OpenDJ lets authenticated users use the control.

$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager"
> -w password get-access-control-handler-prop --property global-aci
(targetcontrol=" || ||
           : || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 ||
           : 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 ||
           : 1.2.840.113556.1.4.473 ||") (version
           : 3.0; acl "Authenticated users control access"; allow(read)
           : userdn="ldap:///all";)

For the privilege to use proxy auth, add the relevant attribute to My App’s entry.

$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password
dn: cn=My App,ou=Apps,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth

Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com

For proxy auth access to the data, set up an ACI that explicitly allows proxy permission.

$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=example,dc=com") (targetattr ="*
 ")(version 3.0; acl "Allow apps proxy auth"; allow(all, proxy
 )(userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");)                 

Processing MODIFY request for dc=example,dc=com
MODIFY operation successful for DN dc=example,dc=com

At this point you can test proxied authorization.

$ ldapmodify -p 1389 -D "cn=My App,ou=Apps,dc=example,dc=com" -w password \
> -Y "dn:uid=kvaughan,ou=People,dc=example,dc=com"
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Changed through proxied auth

Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com

In the access log, you see something like the following (lines folded).

[28/Jun/2011:10:18:05 +0200] CONNECT conn=9 from=
 to= protocol=LDAP
[28/Jun/2011:10:18:05 +0200] BIND REQ conn=9 op=0 msgID=1 version=3
 type=SIMPLE dn="cn=My App,ou=Apps,dc=example,dc=com"
[28/Jun/2011:10:18:05 +0200] BIND RES conn=9 op=0 msgID=1 result=0
 authDN="cn=My App,ou=Apps,dc=example,dc=com" etime=1
[28/Jun/2011:10:18:55 +0200] MODIFY REQ conn=9 op=1 msgID=2
[28/Jun/2011:10:18:55 +0200] MODIFY RES conn=9 op=1 msgID=2 result=0
 authzDN="uid=kvaughan,ou=People,dc=example,dc=com" etime=329
[28/Jun/2011:10:19:00 +0200] UNBIND REQ conn=9 op=2 msgID=3
[28/Jun/2011:10:19:00 +0200] DISCONNECT conn=9 reason="Client Unbind"

Good luck setting up your own proxy auth.


1 Comment

Filed under Directory Services and LDAP

One response to “OpenDJ: Proxy auth

  1. Today I was setting up proxied auth for a web app and your article was exactly what I was looking for, thank you!
    I also noticed that the ACI target must be at the same level or below the entry’s DN, which makes good sense.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s