Configuring proxied authorization requires a combination of access control instructions (ACIs) and the proxied-auth privilege to the entry that will perform operations as another user.


You cannot use the cn=Directory Manager root DN as a proxying DN.


Unless your use case requires proxying root users and administrators, consider restricting proxy users as described in Restricting proxy users.

  1. Open a text editor and create a user entry that will request operations as another user. Include the proxied-auth privilege. Save the file as add-user.ldif.

    In this example, the user entry uid=clientApp will request operations as uid=admin,dc=example,dc=com.

    dn: ou=Applications,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit
    objectClass: extensibleObject
    ou: Admins
    ou: Applications
    dn: uid=clientApp,ou=Applications,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    givenName: Client
    uid: clientApp
    cn: Client App
    sn: App
    userPassword: password
    ds-privilege-name: proxied-auth
  2. Add the file using ldapmodify.
    $ bin/ldapmodify --defaultAdd --filename add-user.ldif
  3. To allow the target, open a text editor and create an LDIF file to assign an ACI to that branch so that the client app user can access it as a proxy auth user. Add the file using theldapmodify.

    The client application targets a specific subtree in the Directory Information Tree (DIT) for its operations. For example, a client might need access to an accounts subtree to retrieve customer information while another client might need access to another subtree, such as a subscriber subtree.

    In this example, the client application targets the ou=People,dc=example,dc=com subtree.


    The ACI should be on a single line of text. The example shows the ACI over multiple lines for readability.

    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci:  (version 3.0; acl "People Proxy Access"; allow(proxy)
  4. Run a search to test the configuration using the bind DN uid=clientApp and the proxyAs option.

    Prefix dn: to the proxying entry or u: to the user name.

    The uid=clientApp binds to the server and proxies as uid=admin to access the ou=People,dc=example,dc=com subtree.

    $ bin/ldapsearch --port 1389 \ 
      --bindDN "uid=clientApp,ou=Applications,dc=example,dc=com" \ 
      --bindPassword password \
      --proxyAs "dn:uid=admin,dc=example,dc=com" \ 
      --baseDN ou=People,dc=example,dc=com \