The following ACI allows the application
cn=OnBehalf,ou=applications,dc=example,dc=com
to use the proxied
authorization V2 control to request that operations be performed using an alternate
authorization identity.
aci: (version 3.0;acl "Application OnBehalf can proxy as another entry";
allow (proxy) userdn="ldap:///cn=OnBehalf,ou=applications,dc=example,dc=com";)
Note:
The application user must have the proxied-auth
privilege.