PingDirectory

Forwarding authorization identities in requests

By default, the PingDirectoryProxy server tries to ensure that requests it forwards to backend servers get processed with the correct user authorization. To do this, the server relies on a function controlled by the authorization-method property, located in the LDAP external server configuration for each of the backend server instances.

Considering proxied authorization scenarios

In environments configured with a PingDirectoryProxy server in front of PingDirectory server instances, the authorization-method property is typically set to intermediate-client-control. This authorization-method value might not be the best option when clients need to authorize a request as a user whose account doesn’t exist in the backend server, including the following scenarios:

  • Entry-balanced configurations where a user whose account resides in one backend set might need to issue requests targeting entries in a different backend set

  • Configurations that have multiple subtree views backed by different sets of backend servers for different parts of the DIT, where a user whose account resides in one part might need to issue requests targeting entries in a different part

However, the intermediate-client-control setting can still be appropriate for deployments where some users might need to issue requests that get processed by servers that don’t contain their accounts. In these scenarios, there are a small number of roles that any user can assume, such as a regular end user, a password administrator, or a full server administrator. You can create surrogate accounts for each of those roles that reside in all the backend servers.

To indicate that operations processed in servers that don’t contain the requester’s user entry should be authorized as the appropriate surrogate account, use the ds-authz-map-to-dn operational attribute, whether real or virtual.

Using the forward-authorization-entry-control

You can also use the forward-authorization-entry-control, which causes the PingDirectoryProxy server to forward a copy of the requester’s entry to the backend server. The PingDirectoryProxy server uses that entry to authorize requests as that user in backend servers that don’t already contain the entry.

You should prefer the intermediate-client-control for proxied authorization.

Reserve the forward-authorization-entry-control for scenarios where it’s common for users in one entry-balanced backend set to need access to entries in other backend sets—but whose entries can’t be reasonably mapped to surrogate entries.

You can only use the forward-authorization-entry-control in topologies where all servers are running version 10.3 or later.

Steps

For each PingDirectoryProxy server in the topology, make the following configuration change for every LDAP external server instance:

  • Set the value of authorization-method to forward-authorization-entry-control.

    Example:

    $ bin/dsconfig set-external-server-prop \
  --server-name server.example.com:636 \
  --set authorization-method:forward-authorization-entry-control