If the requested authorized user is present in the list, then the server continues processing the proxable attributes in the entry. If the requested authorized user is not present in the list, the bind fails.

The operational attributes on the proxying entry are as follows:

ds-auth-is-proxyable
Specifies whether the entry is proxyable or not. Possible values are:
allowed
Operations can be proxied as this user.
prohibited
Operations can't be proxied as this user.
required
The account cannot authenticate directly but can only be accessed by some form of proxied authorization.
ds-auth-is-proxyable-as
Specifies any users allowed to use this entry as a target of proxied authorization.
ds-auth-is-proxyable-as-group
Specifies any groups allowed to use this entry as a target of proxied authorization. Nested static and dynamic groups are also supported.
ds-auth-is-proxyable-as-url
Specifies the LDAP URLs that are used to determine any users that are allowed to use this entry as a target of proxied authorization.