PingDirectory

About the ds-auth-is-proxyable-* operational attributes

After the PingDirectory server evaluates the list of users that the authenticated user can proxy as, the server checks to see if the requested authorized user is in the list.

If the requested authorized user is present in the list, then the server continues processing the proxable attributes in the entry. If the requested authorized user is not present in the list, the bind fails.

The operational attributes on the proxying entry are as follows:

ds-auth-is-proxyable

Specifies whether the entry is proxyable or not. Possible values are:

allowed

Operations can be proxied as this user.

prohibited

Operations can’t be proxied as this user.

required

The account cannot authenticate directly but can only be accessed by some form of proxied authorization.

ds-auth-is-proxyable-as

Specifies any users allowed to use this entry as a target of proxied authorization.

ds-auth-is-proxyable-as-group

Specifies any groups allowed to use this entry as a target of proxied authorization. Nested static and dynamic groups are also supported.

ds-auth-is-proxyable-as-url

Specifies the LDAP URLs that are used to determine any users that are allowed to use this entry as a target of proxied authorization.