PingDirectoryProxy maintains either one or two connection pools to the backend server, depending on the type of backend server you use.
PingDirectoryProxy maintains either one pool for all types of operations or two separate pools for processing bind and non-bind operations from clients. When PingDirectoryProxy establishes connections, it authenticates them using the authentication mechanism defined in the configuration of the external server.
These connections are re-used for all types of operations forwarded to the backend server. You can configure the bind distinguished name (DN) and password in the Directory Proxy Server.
When a client sends a bind request to the Directory Server, the server looks at the type of bind request that was sent:
- If the bind request is a SASL bind request, authentication is processed by the Directory Server itself and does not forward to the backend server, however, the Directory Server can use information contained in the backend server as needed.
- If the bind request is a simple bind request, and the bind DN is within the scope of data supplied by the backend server, the Directory Server forwards the client request to the backend server so that it uses the credentials provided by the client.
Regardless of the authentication method the client uses, the Directory Server remembers the identity of the client after the authentication completes. For any subsequent requests sent by that client, the Directory Server uses the configured authorization method to identify the client to the backend server.
Even though the operation is forwarded over a connection that is authenticated as a user defined in the Directory Proxy Server configuration, the request processes through the backend server under the authority of the end client.