PingDirectory

Configuring alternate authorization identities

Alternate authorization identities are specified by the authz-attribute property of the entry-balancing request processor configuration object.

About this task

By default, the authz-attribute property has the default value of ds-authz-map-to-dn, which is an attribute reserved for this purpose.

If a user entry has a value for ds-authz-map-to-dn, whether it’s explicitly contained in the entry or only present with a virtual attribute, that value is used to specify the alternate authorization identity for the user. Otherwise, the default authorization identity, as indicated with the authz-dn configuration property, is used to determine the alternate authorization identity.

Steps

  1. Set the authz-dn property of the entry-balancing request processor configuration using the dsconfig tool.

    If any user among the balanced entries doesn’t have an alternate authorization identity defined, the PingDirectoryProxy server uses the value of the authz-dn property of the entry-balancing request processor configuration.

    Example:

    $ bin/dsconfig set-request-processor-prop \
      --processor-name dc_example_dc_com-eb-req-processor \
      --set "authz-dn:uid=normal user,dc=example,dc=com"
  2. Create an auxiliary object class containing ds-authz-map-to-dn as an allowed attribute.

  3. Add the auxiliary object class value to all user entries of interest.

  4. Add the following attribute value to a server-admin user.

    Example:

    ds-authz-map-to-dn: uid=server-admin,dc=example,dc=com