If a user entry has a value for ds-authz-map-to-dn whether it's explicitly contained in the entry or only present via a virtual attribute, then that will be used to specify the alternate authorization identity for the user. Otherwise, the default authorization identity (as indicated via the authz-dn configuration property) will be used to determine the alternate authorization identity.

  1. Use dsconfig to set the authz-dn property of the entry-balancing request processor configuration. If any user among the balanced entries does not have an alternate authorization identity defined, the Directory Proxy Server will use the value of the authz-dn property of the entry-balancing request processor configuration. 
    $ bin/dsconfig set-request-processor-prop \
  --processor-name dc_example_dc_com-eb-req-processor \
  --set "authz-dn:uid=normal user,dc=example,dc=com"
  2. Create an auxiliary object class containing ds-authz-map-to-dn as an allowed attribute.
  3. Add the auxiliary object class value to all user entries of interest.
  4. Then, add the following attribute value to a server-admin user. 
    ds-authz-map-to-dn: uid=server-admin,dc=example,dc=com