PingDirectory

About the ds-auth-may-proxy-as-* operational attributes

The PingDirectory server first evaluates the list of potential users that can be proxied for the authenticated user depending on the presence of the ds-auth-may-* operational attributes in the entry.

These operational attributes are multi-valued and are evaluated together if all are present in an entry:

ds-auth-may-proxy-as

Specifies the user distinguished names (DNs) that the associated user can proxy as. For example, you can specify in the uid=clientApp entry that it can proxy operations as uid=admin and uid=agent1.

dn: uid=clientApp,ou=Applications,dc=example,dc=com
objectClass: top
...
ds-privilege-name: proxied-auth
ds-auth-may-proxy-as: uid=admin,dc=example,dc=com
ds-auth-may-proxy-as: uid=agent1,ou=admins,dc=example,dc=com
ds-auth-may-proxy-as-group

Specifies the group DNs and its group members that the associated user can proxy as. For example, you can specify that the potential users that the uid=clientApp entry can proxy as are those members who are present in the group cn=Agents,ou=Groups,dc=example,dc=com. This attribute is multi-valued, so you can specify more than one group. Nested static and dynamic groups are also supported.

dn: uid=clientApp,ou=Applications,dc=example,dc=com
objectClass: top
...
ds-privilege-name: proxied-auth
ds-auth-may-proxy-as-group: cn=Agents,ou=Groups,dc=example,dc=com
ds-auth-may-proxy-as-url

Specifies the DNs that are returned based on the criteria defined in an LDAP URL that the associated user can proxy as. For example, the attribute specifies that the client can proxy as those entries that match the criteria in the LDAP URL. This attribute is multi-valued, so you can specify more than one LDAP URL.

dn: uid=clientApp,ou=Applications,dc=example,dc=com
objectClass: top
...
ds-privilege-name: proxied-auth
ds-auth-may-proxy-as-url: ldap:///ou=People,dc=example,dc=com??sub?(l=austin)