ldap proxy user bind

Michael Ströder michael at stroeder.com
Sun Feb 12 07:57:51 EST 2012

sajuptpm wrote:
> Yea i am not totally clear about that
> Client's Requirement is
> option to have a ldap proxy user bind to the ldap server if it needs
> more directory rights than an anonymous bind.
> option to use a ldap proxy user when searching.

As said: there's the proxy authorization control (see RFC 4370) for which a 
Python class exists in python-ldap. This is used e.g. in web applications if 
the user has successfully authenticated to the application and his identity 
should be used when processing ACLs in the LDAP server. In this case the 
"proxy user" is trusted entity to have done authentication right. The proxy 
authz control is sent by the application with each LDAP request. The server 
has to be correctly configured to accept that.

Another option is a LDAP proxy server which accepts anon requests and binds as 
a certain user. You could OpenLDAP with back-ldap or back-meta for that.

So you should ask your customer what's really needed.

Ciao, Michael.

More information about the Python-list mailing list