The Directory Server supports the Proxied Authorization Control (RFC 4370) to allow an authorized LDAP client to authenticate to the server as another user.
Typically, LDAP servers are deployed as backend authentication systems that store user credentials and authorization privileges necessary to carry out an operation. Single sign-on (SSO) systems can retrieve user credentials from the Directory Server and then issue permissions that allow the LDAP client to request operations under the identity as another user. The proxied authorization control allows client applications to securely process requests without binding or re-authenticating to the server for every operation.
The Directory Server supports the proxied authorization v1 and v2 request
controls. The proxied authorization v1 request control is based on early versions of the
draft-weltman-ldapv3-proxy Internet draft and is available primarily
for legacy systems. You should use the proxied authorization v2 request control based on
The proxied authorization v2 control requests that the associated operation is performed as
if it had been requested by another user. You can use this control in conjunction with add,
delete, compare, extended, modify, modify DN, and search requests. In such case, the
associated operation processes under the authority of the specified authorization identity
rather than the identity associated with the client connection, such as the user as whom
that connection is bound. Specify the target authorization identity for this control as an
authzid value, either with
dn:, followed by the
distinguished name of the target user or
u:, followed by the user
Because of the security risks when using the proxied authorization control, most
directory servers enforce strict restrictions on users that can request this control. If
a user attempts to use the proxied authorization v2 request control without the
sufficient permission, the server returns a failure response with the
AUTHORIZATION_DENIED result code.