My network's core user database is managed by OpenLDAP. Recently we need to introduce a possibility for one user to act on second user's behalf. As all application-related rights and permissions are stored in the LDAP we also want to store the new schema in the same place.
My question is - are there comonly renown schemas or best practices to store such delegated permissions in LDAP? I've heard there is such functionality in MS Exchange which uses Active Directory.
You'd probably want to use Proxied Authorization. It uses special operational attributes (
authzTo
orauthzFrom
) to allow one bound user to perform operations using the identity and permissions of another user.I use UnboundID's ldap sdk, they have an example of performing operations using Proxied Authorization in their javadocs for ProxiedAuthorizationV2RequestControl.