Alternate authorization identities are specified by the authz-attribute
property of the entry-balancing request processor configuration object. By default, the
authz-attribute
property has the default value of
ds-authz-map-to-dn
, which is an attribute reserved for this
purpose.
If a user entry has a value for ds-authz-map-to-dn
whether it's
explicitly contained in the entry or only present via a virtual attribute, then that
will be used to specify the alternate authorization identity for the user. Otherwise,
the default authorization identity (as indicated via the authz-dn
configuration property) will be used to determine the alternate authorization identity.