Configuring proxied authorization requires a combination of access control instructions and the proxied-auth privilege to the entry that will perform operations as another user.
Note: You cannot use the cn=Directory Manager root DN as a proxying DN.
  1. Open a text editor and create a user entry, such as uid=clientApp, which is the user entry that will request operations as another user, uid=admin,dc=example,dc=com. The client application entry also requires the proxied-auth privilege to allow it to run proxied authorization requests. Save the file as add-user.ldif.
    dn: ou=Applications,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit           
    objectClass: extensibleObject  
    ou: Admins
    ou: Applications
    dn: uid=clientApp,ou=Applications,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson  
    objectClass: inetOrgPerson
    givenName: Client
    uid: clientApp
    cn: Client App  
    sn: App
    userPassword: password
    ds-privilege-name: proxied-auth
  2. Add the file using ldapmodify.
    $ bin/ldapmodify --defaultAdd --filename add-user.ldif
  3. The client application targets a specific subtree in the Directory Information Tree (DIT) for its operations. For example, some client may need access to an accounts subtree to retrieve customer information. Another client may need access to another subtree, such as a subscriber subtree. In this example, we want the client application to target the ou=People,dc=example,dc=com subtree. To allow the target, open a text editor and create an LDIF file to assign an ACI to that branch so that the client app user can access it as a proxy auth user. Note that the ACI should be on a single line of text. The example shows the ACI over multiple lines for readability. Add the file using the ldapmodify.
    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci:  (version 3.0; acl "People Proxy Access"; allow(proxy)
  4. Run a search to test the configuration using the bind DN uid=clientApp and the proxyAs option, which requires that you prefix "dn:" to the proxying entry or "u:" to the user name. The uid=clientApp binds to the server and proxies as uid=admin to access the ou=People,dc=example,dc=com subtree.
    $ bin/ldapsearch --port 1389 \ 
      --bindDN "uid=clientApp,ou=Applications,dc=example,dc=com" \ 
      --bindPassword password \
      --proxyAs "dn:uid=admin,dc=example,dc=com" \ 
      --baseDN ou=People,dc=example,dc=com \