--- title: Configuring proxied authorization description: Configuring proxied authorization requires a combination of access control instructions (ACIs) and the proxied-auth privilege to the entry that will perform operations as another user. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_access_control:pd_ds_config_proxied_authn canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_access_control/pd_ds_config_proxied_authn.html revdate: May 10, 2024 section_ids: about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: example-4: Example: --- # Configuring proxied authorization ## About this task Configuring proxied authorization requires a combination of access control instructions (ACIs) and the `proxied-auth` privilege to the entry that will perform operations as another user. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You cannot use the `cn=Directory Manager` root DN as a proxying DN. Unless your use case requires proxying root users and administrators, consider restricting proxy users as described in [Restricting proxy users](pd_ds_restrict_proxy_users.html). | ## Steps 1. Open a text editor and create a user entry that will request operations as another user. Include the `proxied-auth` privilege. Save the file as `add-user.ldif`. ### Example: In this example, the user entry `uid=clientApp` will request operations as `uid=admin,dc=example,dc=com`. ``` dn: ou=Applications,dc=example,dc=com objectClass: top objectClass: organizationalUnit objectClass: extensibleObject ou: Admins ou: Applications dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson givenName: Client uid: clientApp cn: Client App sn: App userPassword: password ds-privilege-name: proxied-auth ``` 2. Add the file using `ldapmodify`. ### Example: ```shell $ bin/ldapmodify --defaultAdd --filename add-user.ldif ``` 3. To allow the target, open a text editor and create an LDIF file to assign an ACI to that branch so that the client app user can access it as a proxy auth user. Add the file using the`ldapmodify`. The client application targets a specific subtree in the Directory Information Tree (DIT) for its operations. For example, a client might need access to an accounts subtree to retrieve customer information while another client might need access to another subtree, such as a subscriber subtree. ### Example: In this example, the client application targets the `ou=People,dc=example,dc=com` subtree. | | | | - | ---------------------------------------------------------------------------------------------------------- | | | The ACI should be on a single line of text. The example shows the ACI over multiple lines for readability. | ``` dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (version 3.0; acl "People Proxy Access"; allow(proxy) userdn="ldap:///uid=clientApp,ou=Applications,dc=example,dc=com";) ``` 4. Run a search to test the configuration using the bind DN `uid=clientApp` and the `proxyAs` option. Prefix `dn:` to the proxying entry or `u:` to the user name. ### Example: The `uid=clientApp` binds to the server and proxies as `uid=admin` to access the `ou=People,dc=example,dc=com` subtree. ```shell $ bin/ldapsearch --port 1389 \ --bindDN "uid=clientApp,ou=Applications,dc=example,dc=com" \ --bindPassword password \ --proxyAs "dn:uid=admin,dc=example,dc=com" \ --baseDN ou=People,dc=example,dc=com \ "(objectclass=*)" ```