The Directory Server first evaluates the list of potential users that can be proxied for the authenticated user based on the presence of the ds-auth-may-* operational attributes in the entry. These operational attributes are multi-valued and are evaluated together if all are present in an entry:
  • ds-auth-may-proxy-as. Specifies the user DNs that the associated user is allowed to proxy as. For instance, based on the previous example, you could specify in the uid=clientApp entry that it can proxy operations as uid=admin and uid=agent1.
    dn: uid=clientApp,ou=Applications,dc=example,dc=com
    objectClass: top    
    ...
    ds-privilege-name: proxied-auth 
    ds-auth-may-proxy-as: uid=admin,dc=example,dc=com
    ds-auth-may-proxy-as: uid=agent1,ou=admins,dc=example,dc=com  
  • ds-auth-may-proxy-as-group. Specifies the group DNs and its group members that the associated user is allowed to proxy as. For instance, you could specify that the potential users that the uid=clientApp entry can proxy as are those members who are present in the group cn=Agents,ou=Groups,dc=example,dc=com. This attribute is multi-valued, so that more than one group can be specified. Nested static and dynamic groups are also supported.
    dn: uid=clientApp,ou=Applications,dc=example,dc=com
    objectClass: top
    ...
    ds-privilege-name: proxied-auth
    ds-auth-may-proxy-as-group: cn=Agents,ou=Groups,dc=example,dc=com  
  • ds-auth-may-proxy-as-url. Specifies the DNs that are returned based on the criteria defined in an LDAP URL that the associated user is allowed to proxy as. For instance, the attribute specifies that the client can proxy as those entries that match the criteria in the LDAP URL. This attribute is multi-valued, so that more than one LDAP URL can be specified.
    dn: uid=clientApp,ou=Applications,dc=example,dc=com 
    objectClass: top 
    ...
    ds-privilege-name: proxied-auth 
    ds-auth-may-proxy-as-url: ldap:///ou=People,dc=example,dc=com??sub?(l=austin)