Alternate authorization identities are specified by the
authz-attribute
property of the entry-balancing request processor
configuration object.
By default, the authz-attribute
property has the default value of
ds-authz-map-to-dn
, which is an attribute reserved for this
purpose.
If a user entry has a value for ds-authz-map-to-dn
, whether it's
explicitly contained in the entry or only present with a virtual attribute, that value
is used to specify the alternate authorization identity for the user. Otherwise, the
default authorization identity, as indicated with the authz-dn
configuration property, is used to determine the alternate authorization identity.