About the ds-auth-may-proxy-as-* operational attributes
The PingDirectory server first evaluates the list of potential users that can be proxied for the authenticated user depending on the presence of the ds-auth-may-*
operational attributes in the entry.
These operational attributes are multi-valued and are evaluated together if all are present in an entry:
ds-auth-may-proxy-as
-
Specifies the user distinguished names (DNs) that the associated user can proxy as. For example, you can specify in the
uid=clientApp
entry that it can proxy operations asuid=admin
anduid=agent1
.
dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top ... ds-privilege-name: proxied-auth ds-auth-may-proxy-as: uid=admin,dc=example,dc=com ds-auth-may-proxy-as: uid=agent1,ou=admins,dc=example,dc=com
ds-auth-may-proxy-as-group
-
Specifies the group DNs and its group members that the associated user can proxy as. For example, you can specify that the potential users that the
uid=clientApp
entry can proxy as are those members who are present in the groupcn=Agents,ou=Groups,dc=example,dc=com
. This attribute is multi-valued, so you can specify more than one group. Nested static and dynamic groups are also supported.
dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top ... ds-privilege-name: proxied-auth ds-auth-may-proxy-as-group: cn=Agents,ou=Groups,dc=example,dc=com
ds-auth-may-proxy-as-url
-
Specifies the DNs that are returned based on the criteria defined in an LDAP URL that the associated user can proxy as. For example, the attribute specifies that the client can proxy as those entries that match the criteria in the LDAP URL. This attribute is multi-valued, so you can specify more than one LDAP URL.
dn: uid=clientApp,ou=Applications,dc=example,dc=com objectClass: top ... ds-privilege-name: proxied-auth ds-auth-may-proxy-as-url: ldap:///ou=People,dc=example,dc=com??sub?(l=austin)