5

My network's core user database is managed by OpenLDAP. Recently we need to introduce a possibility for one user to act on second user's behalf. As all application-related rights and permissions are stored in the LDAP we also want to store the new schema in the same place.

My question is - are there comonly renown schemas or best practices to store such delegated permissions in LDAP? I've heard there is such functionality in MS Exchange which uses Active Directory.

hegemon
  • 165
  • 1
  • 6

1 Answers1

1

You'd probably want to use Proxied Authorization. It uses special operational attributes (authzTo or authzFrom) to allow one bound user to perform operations using the identity and permissions of another user.

I use UnboundID's ldap sdk, they have an example of performing operations using Proxied Authorization in their javadocs for ProxiedAuthorizationV2RequestControl.

Brad Mace
  • 1,006
  • 3
  • 17
  • 31