After the Directory Server has evaluated the list of users that the authenticated user can proxy as, the server checks to see if the requested authorized user is in the list. If the requested authorized user is present in the list, then the server continues processing the proxable attributes in the entry. If the requested authorized user is not present in the list, the bind will fail.

The operational attributes on the proxying entry are as follows:
  • ds-auth-is-proxyable. Specifies whether the entry is proxyable or not. Possible values are: "allowed" (operation may be proxied as this user), "prohibited" (operations may not be proxied as this user), "required" (indicates that the account will not be allowed to authenticate directly but may only be accessed by some form of proxied authorization).
  • ds-auth-is-proxyable-as. Specifies any users allowed to use this entry as a target of proxied authorization.
  • ds-auth-is-proxyable-as-group. Specifies any groups allowed to use this entry as a target of proxied authorization. Nested static and dynamic groups are also supported.
  • ds-auth-is-proxyable-as-url. Specifies the LDAP URLs that are used to determine any users that are allowed to use this entry as a target of proxied authorization.