The following ACIs can be used to allow the application "cn=OnBehalf,ou=applications,dc=example,dc=com" to use the proxied authorization v2 control to request that operations be performed using an alternate authorization identity. The application user is also required to have the proxied-auth privilege as discussed later in this chapter:

aci: (version 3.0;acl "Application OnBehalf can proxy as another entry";
allow (proxy) userdn="ldap:///cn=OnBehalf,ou=applications,dc=example,dc=com";)