Client Credential Levels
any entry that is allowed to bind to the directory. The account requires sufficient access to
perform the naming service functions on the LDAP server.
The proxy account is a shared-per-system resource, which means that users, including the
root user, who are logged into a system using proxy access see the same information. You
must configure the proxyDN and proxyPassword attributes on every client system that uses
the proxy credential level. Further, the proxyDN must have the same proxyPassword on all
of the LDAP servers.
The encrypted proxyPassword is stored locally on the client. If the password changes for a
proxy user, you must update the password on every client system that uses that proxy user.
Also, if you use password aging on LDAP accounts, make sure to exempt proxy users.
You can set up different proxies for different groups of clients. For example, you can
configure a proxy that limits all the sales clients to access only the company-wide accessible
directories and sales directories. Access to Human Resource directories with payroll
information are forbidden. Or, in the most extreme cases, you can either assign different
proxies to each client or assign just one proxy to all clients.
If you plan to set up multiple proxies for different clients, consider the choices carefully.
Too few proxy agents can limit your ability to control user access to resources. However,
too many proxies complicate the setup and maintenance of the system. You need to
grant the appropriate rights to the proxy user depending on your environment. For more
information about how to determine which authentication method to use, see “Storing
Credential for LDAP Clients” on page 19.
The proxy credential level applies to all users and processes on any specific system. Users
that need to use different naming policies must log in to different systems, or use the per-
user authentication model.
■
proxy anonymous – The proxy anonymous credential level is a multi-valued entry where
more than one credential level is defined. With this level, a client first attempts to be
authenticated by using its proxy identity. If the authentication fails because of user lockout
or expired password, then the client uses anonymous access. Depending on how the
directory is configured, different credential levels might be associated with different levels
of service.
■
self – The self credential level is also known as the per-user mode. This mode uses the
Kerberos identity, called the principal, to perform a lookup for each system or user for
authentication. With per-user authentication, the system administrator can use access control
instructions (ACIs), access control lists (ACLs), roles, groups or other directory access
control mechanisms to grant or deny access to specific naming-service data for specific
users or systems.
To use the per-user authentication model, the following configurations are required:
■
Deployment of the Kerberos single sign-on service
■
Support for the SASL and the SASL/GSSAPI authentication mechanism in one or more
directory servers
18 Working With Oracle Solaris 11.3 Directory and Naming Services: LDAP • September 2018