Proxy authorization

The following ACI allows the application cn=OnBehalf,ou=applications,dc=example,dc=com to use the proxied authorization V2 control to request that operations be performed using an alternate authorization identity.

aci: (version 3.0;acl "Application OnBehalf can proxy as another entry";
allow (proxy) userdn="ldap:///cn=OnBehalf,ou=applications,dc=example,dc=com";)

The application user must have the proxied-auth privilege.

PingDirectory

Proxy authorization