LDAP Proxy User


In eDirectory when using LDAP and an Anonymous bind requires there be a LDAP Proxy User configured that is used as the Proxy Authorization user to represent the Anonymous user.

LDAP Proxy User Account for Password Synch#

Need wants directions for creation for this user:
  • permissions
  • Procedures for creating the user
  • Procedures for adding new servers in the ONE-Tree in the going forward plan.

Since public user gat browse, read and compare on all objects and attributes.

Regardless where the rights are assigned to LDAP Proxy User

The user would acquire

There is an overhead for doing this.

We will need a variance.

  • Password can not be changed.
  • No Login restrictions.

Anonymous bind#

eDirectory in principle allows LDAP clients to log on Anonymous bind. The default setting is that the LDAP client has the access rights which are entered for the object (Public) in eDirectory. The object (Public) is a virtual object which is used only for the assignment of rights in eDirectory. Every instance of access to objects in the directory tree automatically proceeds with at least the rights that have been granted to that object.

The default setting is that (Public) has the Browse right for the entire tree.

If anonymous users are to be granted more extensive access to individual sections of the directory tree, then a separate user account should be created for this. This user account must then be registered as Proxy User for anonymous LDAP access. For anonymous access to be possible, this account cannot require a password. It should be noted that this user account cannot configure a password either, as otherwise anonymous access could be blocked by a single client.

Already at the stage of planning the use of a directory service, a decision must be made as to what data should be accessible with anonymous logon. The access rights for the Proxy User must be configured in eDirectory in accordance with this decision.

Setting Up a Proxy User for LDAP Contextless Login#

Setting up a proxy user allows you to specify a User object whose rights will be assumed by an anonymous user during an LDAP session. A Proxy User Anonymous Bind is an anonymous connection linked to an eDirectory username. If an LDAP client binds to LDAP for eDirectory anonymously, and the ldapGroup is configured to use a Proxy User, the user is authenticated to eDirectory as the Proxy User. Specifying a User object as a proxy allows more flexibility and better security since anyone logging in anonymously is subject to the selected User object's restrictions and rights to browse the directory.

Instead of using an existing User object, you will probably want to create a User object with the necessary rights to search the attributes and then assign this User object to the proxy username in the LDAP Group object

You can assign the proxy user rights to the Root of the tree so that the LDAP client can view attributes of User objects throughout the tree. Or, you might want to restrict access by assigning Read rights only to individual Organizational Units that you want LDAP to search for users. Figure 3 shows an example of assigning the proxy user "LDAPUser" attribute-specific rights.

Note that the "Inheritable" checkbox is checked. This allows the User object "LDAPUser" to see attributes of all objects from the RootDSE on down.

The MyPassword Account#

Must have a password or desktop can not be unlocked.

More Information#

There might be more information for this subject on one of the following: