Configuring alternate authorization identities
Alternate authorization identities are specified by the authz-attribute
property of the entry-balancing request processor configuration object.
About this task
By default, the authz-attribute
property has the default value of ds-authz-map-to-dn
, which is an attribute reserved for this purpose.
If a user entry has a value for ds-authz-map-to-dn
, whether it’s explicitly contained in the entry or only present with a virtual attribute, that value is used to specify the alternate authorization identity for the user. Otherwise, the default authorization identity, as indicated with the authz-dn
configuration property, is used to determine the alternate authorization identity.
Steps
-
Set the
authz-dn
property of the entry-balancing request processor configuration using thedsconfig
tool.If any user among the balanced entries doesn’t have an alternate authorization identity defined, the PingDirectoryProxy server uses the value of the
authz-dn
property of the entry-balancing request processor configuration.Example:
$ bin/dsconfig set-request-processor-prop \ --processor-name dc_example_dc_com-eb-req-processor \ --set "authz-dn:uid=normal user,dc=example,dc=com"
-
Create an auxiliary object class containing
ds-authz-map-to-dn
as an allowed attribute. -
Add the auxiliary object class value to all user entries of interest.
-
Add the following attribute value to a
server-admin
user.Example:
ds-authz-map-to-dn: uid=server-admin,dc=example,dc=com