What is an LDAP Proxy User?

  • 7000340
  • 08-May-2008
  • 26-Apr-2012

Environment


Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3.10 for All Platforms
Novell eDirectory

Situation

What is an LDAP Proxy user and how do I set one up?

What special considerations, if any, apply to the LDAP Proxy User object?

How does Universal Password (UP) affect an LDAP Proxy User object?

Resolution

By default, when a user performs an anonymous bind (doesn't specify a password), a special pseudo-object in the directory calculates access control for that user. This object is termed [Public]. By default, this pseudo-object can browse the entire tree hierarchy and read a limited number of attributes on entries. The attributes that [Public] can read are those that have the X-NDS_PUBLIC_READ schema flag set to true. This flag can be seen in iMonitor's Schema section. [Public] can also see any attributes or entries to which rights have been assigned in eDirectory. In a default installation this includes Browse to [Entry Rights], among others, which lets the hierarchy of the tree be viewed. Trustee rights for [Public] are handled the same way as they are for any other trustee and can be viewed in ConsoleOne or iManager.

If you'd like to have an anonymous bind use a different object in the tree, you can specify that object in the Proxy Username field. By doing this, you can restrict the types of objects and attributes that anonymous users can access by setting the appropriate access controls on the proxy user object.

The proxy username must be a DN. To easily select an object, click the directory browser button to the right of the text field. A dialog box appears that allows you to choose an object in the tree. Any eDirectory user object can be used, and anonymous LDAP access will assume the eDirectory rights of that user.

Important note: A proxy user must have a blank password in order to work correctly. This is very different from having NO password. If any user has no password, then they do not have a public/private key pair to compare against when attempting to login. A blank password will generate a public/private key pair, although the actual string for the password is empty. To set a blank password, go into ConsoleOne or iManager and click on the Restrictions tab. Click on Change Password and, without typing anything, click Set Password. This will set the password to an empty (zero-byte) string.

With Universal Password (UP) enabled the default policy, and most non-default policies, reject a zero-length password. To work around this create a new UP policy that explicitly disables Universal Password. The most-granular UP policy assignment wins in eDirectory so this policy will override any others if it is assigned directly to the LDAP Proxy User object. With this done set the password as described above.

Additional Information

Formerly known as TID# 10062428