I have previously described the advantages of using LDAP Proxy Authorization when performing changes on an LDAP server on behlaf of someone else. Here’s PHP code to actually perform proxy authorization. The code will first check the RootDSE to see if proxy authorization is supported and then perform an ldap search with proxied credentials. I ‘ll be releasing a new version of LUMS shortly containing this and a few other enhancements.

Please read the SASL chapter of OpenLDAP administrator’s guide first. Pay attention to the AuthzTo/AuthzFrom attributes and make sure you set ‘authz-policy to/from’ in order for things to work. Also, the admin guide has a small typo on the authzto/from dn regex definition.  The correct form is:

authzTo: {0}dn.regex:^uid=[^,]*,ou=people,<base>$

<?php
function LUMS_set_proxy_auth($conn, $proxydn)
{
#
# Check to see if the directory server supports the
# Proxied Authorization control
#
$r = @ldap_read($conn, ”, ‘objectclass=*’, array(‘supportedControl’));
if ($r){
$results = @ldap_get_entries($conn, $r);
if ($results[count] == 0)
return ‘Could not read Root DSE’;
if ($results[0][‘supportedcontrol’][count] == 0)
return ‘Could not find any supportedControl attributes in Root DSE’;
$found_ctrl = 0;
for($i=0;$i<$results[0][‘supportedcontrol’][count];$i++){
if ($results[0][‘supportedcontrol’][$i] == ‘2.16.840.1.113730.3.4.18’)
$found_ctrl = 1;
}
if ($found_ctrl == 0)
return ‘Proxied Authorization control is not supported’;
}
else
return “Root DSE Search failed: ” . @ldap_error($conn);

$proxy_auth_ctrl = array(‘oid’ => ‘2.16.840.1.113730.3.4.18’,
‘value’ => “dn:$proxydn”, ‘iscritical’ => true);
if (!ldap_set_option($conn, LDAP_OPT_SERVER_CONTROLS, array($proxy_auth_ctrl)))
return “Could not set Proxy Auth control”;

return ”;
}

print “connect<br>\n”;
$conn = ldap_connect(‘ldap://localhost’);
if ($conn){
print “connected<br>\n”;
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
print “set protocol v3<br>\n”;
if (! ldap_bind($conn, ‘uid=admin,ou=people,<base>’, ‘<pass>’))
print “Could not bind to ldap server<br>\n”;
$ret = LUMS_set_proxy_auth($conn, ‘uid=proxied_user,ou=people,<base>’);
print “tried to set proxy auth<br>\n”;
if ($ret != ”)
print “Proxy authorization failed: $ret”;

print “proxy auth success<br>\n”;
ldap_search($conn,'<base>’,’uid=admin’);
}
else
print “could not connect<br\n”;
?>

Example OpenLDAP log of the above operations:

Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=0 BIND dn=”uid=admin,ou=people,<base>” method=128
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=0 BIND dn=”uid=admin,ou=people,<base>” mech=SIMPLE ssf=0
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=0 RESULT tag=97 err=0 text=
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=1 SRCH base=”” scope=0 deref=0 filter=”(objectClass=*)”
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=1 SRCH attr=supportedControl
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=2 PROXYAUTHZ dn=”uid=citizen,ou=people,<base>”
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=2 SRCH base=”<base>” scope=2 deref=0 filter=”(uid=admin)”
Apr 11 12:26:41 localhost slapd[41039]: conn=23 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Advertisements