Based on the type of backend server that you are using, the PingDirectoryProxy Server maintains either one or two connection pools to the backend server. It maintains either one pool for all types of operations or two separate pools for processing bind and non-bind operations from clients. When the Directory Proxy Server establishes connections, it authenticates them using whatever authentication mechanism is defined in the configuration of the external server. These connections will be re-used for all types of operations to be forwarded to the backend server. The bind DN and password are configured in the Directory Proxy Server.
Whenever a client sends a bind request to the Directory Proxy Server, the server looks at the type of bind request that was sent. If it is a SASL bind request, then the authentication is processed by the Directory Proxy Server itself and it will not be forwarded to the backend server. However, the Directory Proxy Server may use information contained in the backend server as needed. If the bind request is a simple bind request and the bind DN is within the scope of data supplied by the backend server, then the Directory Proxy Server will forward the client request to the backend server so that it will use the credentials provided by the client.
Regardless of the authentication method that the client uses, the Directory Proxy Server will remember the identity of the client after the authentication is complete and for any subsequent requests sent by that client, it will use the configured authorization method to identify the client to the backend server. Even though the operation is forwarded over a connection that is authenticated as a user defined in the Directory Proxy Server configuration, the request is processed by the backend server under the authority of the end client.