ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahyproxyauth.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Proxy authorization</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>

<img src="delta.gif" alt="Start of change" />
<a name="rzahyproxyauth"></a>
<h3 id="rzahyproxyauth">Proxy authorization</h3>
<p>The proxy authorization is a special form of authentication. By using this
proxy authorization mechanism, a client application can bind to the directory
with its own identity but is allowed to perform operations on behalf of another
user to access the target directory. A set of trusted applications or users
can access the Directory Server on behalf of multiple users.</p>
<p>The members in the proxy authorization group can assume any authenticated
identities except for the administrator or members of the administrative group.</p>
<p>The proxy authorization group can be stored under either localhost or IBMpolicies.
A proxy authorization group under IBMpolicies is replicated; a proxy authorization
group under localhost is not. You can store the proxy authorization group
under both localhost and IBMpolicies. If the proxy group is not stored under
one of these DNs, the server ignores the proxy part of the group and treats
it as a normal group.</p>
<p>As an example, a client application, client1, can bind to the Directory
Server with a high level of access permissions. UserA with limited permissions
sends a request to the client application. If the client is a member of the
proxy authorization group, instead of passing the request to the Directory
Server as client1, it can pass the request as UserA using the more limited
level of permissions. What this means is that instead of performing the request
as client1, the application server can access only that information or perform
only those actions that UserA is able to access or perform. It performs the
request on behalf of or as a proxy for UserA.</p>
<a name="wq53"></a>
<div class="notetitle" id="wq53">Note:</div>
<div class="notebody">The attribute
member must have its value in the form of a DN. Otherwise an Invalid DN syntax
message is returned. A group DN is not permitted to be a member of the proxy
authorization group.</div>
<p>Administrators and administrative group members are not permitted to be
members of the proxy authorization group. The audit log records both the bind
DN and the proxy DN for each action performed using proxy authorization.</p>
<p>For more information, see <a href="rzahymanproxygroup.htm#rzahymanproxygroup">Manage a proxy authorization group</a>.</p><img src="deltaend.gif" alt="End of change" />
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>