To illustrate how the proxied authorization operational attributes work, it is best to set up a simple example where two LDAP clients, uid=clientApp1 and uid=clientApp2 can freely proxy two administrator accounts, uid=admin1 and uid=admin2. We will add the ds-auth-may-proxy-as-* and the ds-auth-is-proxyable-* attributes to these entries to restrict how each account can use proxied authorization. For example, the two client applications will continue to proxy the uid=admin1 account but the uid=admin2 account will no longer be able to be used as a proxied entry.

Restricting Proxy Users Example Scenario