PingDirectoryProxy maintains either one pool for all types of operations or two separate pools for processing bind and non-bind operations from clients. When PingDirectoryProxy establishes connections, it authenticates them using the authentication mechanism defined in the configuration of the external server.

These connections are re-used for all types of operations forwarded to the backend server. You can configure the bind distinguished name (DN) and password in the PingDirectoryProxy server.

When a client sends a bind request to the PingDirectoryProxy server, the server looks at the type of bind request that was sent:

  • If the bind request is a SASL bind request, authentication is processed by the PingDirectoryProxy server itself and does not forward to the backend server, however, the PingDirectoryProxy server can use information contained in the backend server as needed.
  • If the bind request is a simple bind request, and the bind DN is within the scope of data supplied by the backend server, the PingDirectoryProxy server forwards the client request to the backend server so that it uses the credentials provided by the client.

Regardless of the authentication method the client uses, the PingDirectoryProxy server remembers the identity of the client after the authentication completes. For any subsequent requests sent by that client, the server uses the configured authorization method to identify the client to the backend server.

Even though the operation is forwarded over a connection that is authenticated as a user defined in the PingDirectoryProxy server configuration, the request processes through the backend server under the authority of the end client.