Overview#In eDirectory when using LDAP and an Anonymous bind requires there be a LDAP Proxy User configured that is used as the Proxy Authorization user to represent the Anonymous user.
- Procedures for creating the user
- Procedures for adding new servers in the ONE-Tree in the going forward plan.
Since public user gat browse, read and compare on all objects and attributes.
Regardless where the rights are assigned to Proxy user
The user would acquire
There is an overhead for doing this.
We will need a variance.
- Password can not be changed.
- No Login restrictions.
The default setting is that (Public) has the Browse right for the entire tree.
If anonymous users are to be granted more extensive access to individual sections of the directory tree, then a separate user account should be created for this. This user account must then be registered as Proxy User for anonymous LDAP access. For anonymous access to be possible, this account cannot require a password. It should be noted that this user account cannot configure a password either, as otherwise anonymous access could be blocked by a single client.
Already at the stage of planning the use of a directory service, a decision must be made as to what data should be accessible with anonymous logon. The access rights for the Proxy User must be configured in eDirectory in accordance with this decision.proxy user allows you to specify a User object whose rights will be assumed by an anonymous user during an LDAP session. A Proxy User Anonymous Bind is an anonymous connection linked to an eDirectory username. If an LDAP client binds to LDAP for eDirectory anonymously, and the ldapGroup is configured to use a Proxy User, the user is authenticated to eDirectory as the Proxy User. Specifying a User object as a proxy allows more flexibility and better security since anyone logging in anonymously is subject to the selected User object's restrictions and rights to browse the directory.
Instead of using an existing User object, you will probably want to create a User object with the necessary rights to search the attributes and then assign this User object to the proxy username in the LDAP Group object
You can assign the proxy user rights to the Root of the tree so that the LDAP client can view attributes of User objects throughout the tree. Or, you might want to restrict access by assigning Read rights only to individual Organizational Units that you want LDAP to search for users. Figure 3 shows an example of assigning the proxy user "LDAPUser" attribute-specific rights.
Note that the "Inheritable" checkbox is checked. This allows the User object "LDAPUser" to see attributes of all objects from the RootDSE on down.