---
title: Proxied authorization
description: Proxied authorization, defined in RFC 4370, provides a mechanism for binding as a proxy, and making requests on behalf of other users. For example, an application binds with its credentials, but each request is made as a user who logs in through the application.
component: pingds
version: 8.1
page_id: pingds:ldap-guide:proxied-authz
canonical_url: https://docs.pingidentity.com/pingds/8.1/ldap-guide/proxied-authz.html
revdate: 2025-10-22T14:42:39Z
keywords: ["Authorization", "LDAP"]
---

# Proxied authorization

Proxied authorization, defined in [RFC 4370](https://www.rfc-editor.org/info/rfc4370), provides a mechanism for binding as a proxy, and making requests on behalf of other users. For example, an application binds with its credentials, but each request is made as a user who logs in through the application.

To use proxied authorization, the proxy user must have:

* Permission to use the LDAP Proxy Authorization Control.

  Grant access to this control using an access control instruction (ACI) *(tooltip: \<div class="paragraph">
  \<p>An instruction or rule that can be used to grant or deny access to users to perform operations on a server.\</p>
  \</div>)* with a `targetcontrol` list that includes the Proxy Authorization Control OID `ProxiedAuthV2` (`2.16.840.1.113730.3.4.18`). The ACI must grant `allow(read)` permission to the proxy.

  This calls for an ACI with a target scope that includes the entry of the proxy user binding to the directory.

* Permission to proxy as the given authorization user.

  This calls for an ACI with a target scope that includes the entry of the authorization user. The ACI must grant `allow(proxy)` permission to the proxy.

* The privilege to use proxied authorization.

  Add `ds-privilege-name: proxied-auth` to the proxy's entry.

The following table shows whether proxied authorization allows an operation on the target.

|                         | Bind DN no access | Bind DN has access |
| ----------------------- | ----------------- | ------------------ |
| **Proxy ID no access**  | No                | No                 |
| **Proxy ID has access** | Yes               | Yes                |

The following steps rely on the access settings available in the evaluation setup profile, described in [Learn about the evaluation setup profile](../install-guide/setup-ds.html#about-ds-evaluation), to demonstrate proxied authorization for an Example.com application. In the evaluation profile, `kvaughan` is a directory administrator user with access to modify `bjensen`'s entry.

If you are using a different profile, make sure you have granted access to the bind DN user and the proxy ID user:

1. Grant access to applications to use the Proxy Authorization control, and to use proxied authorization:

   ```console
   $ ldapmodify \
    --hostname localhost \
    --port 1636 \
    --useSsl \
    --trustStorePath /path/to/opendj/config/keystore \
    --trustStoreType PKCS12 \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --bindDN uid=admin \
    --bindPassword password << EOF
   dn: dc=example,dc=com
   changetype: modify
   add: aci
   aci: (targetcontrol="ProxiedAuthV2")
     (version 3.0; acl "Apps can use the Proxy Authorization Control";
     allow(read) userdn="ldap:///cn=*,ou=Apps,dc=example,dc=com";)
   aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")
     (version 3.0; acl "Allow apps proxied auth";
     allow(proxy) (userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");)
   EOF
   ```

   The latter ACI allows any user whose DN matches `cn=*,ou=Apps,dc=example,dc=com` to proxy as any user under the ACI target of `dc=example,dc=com`. For example, `cn=My App,ou=Apps,dc=example,dc=com` can proxy as any Example.com user, but cannot proxy as the directory superuser `uid=admin`. The target of the ACI does not include `uid=admin`.

2. Grant My App the privilege to use proxied authorization:

   ```console
   $ ldapmodify \
    --hostname localhost \
    --port 1636 \
    --useSsl \
    --trustStorePath /path/to/opendj/config/keystore \
    --trustStoreType PKCS12 \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --bindDN uid=admin \
    --bindPassword password << EOF
   dn: cn=My App,ou=Apps,dc=example,dc=com
   changetype: modify
   add: ds-privilege-name
   ds-privilege-name: proxied-auth
   EOF
   ```

   Other applications without this privilege cannot yet use proxied authorization.

3. Test that My App can use proxied authorization:

   ```console
   $ ldapmodify \
    --hostname localhost \
    --port 1636 \
    --useSsl \
    --trustStorePath /path/to/opendj/config/keystore \
    --trustStoreType PKCS12 \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --bindDN "cn=My App,ou=Apps,dc=example,dc=com" \
    --bindPassword password \
    --proxyAs "dn:uid=kvaughan,ou=People,dc=example,dc=com" << EOF
   dn: uid=bjensen,ou=People,dc=example,dc=com
   changetype: modify
   replace: description
   description: Changed through proxied auth
   EOF
   ```

   > **Collapse: Show output**
   >
   > ```
   > # MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
   > ```

Use an identity mapper if identifiers have the `u:authzid` (user ID) form rather than `dn:authzid` form. Specify the identity mapper with the global configuration setting, `proxied-authorization-identity-mapper`.

For details, refer to [Identity mappers](client-auth.html#client-auth-identity-mappers).