Typically, LDAP servers are deployed as backend authentication systems that store user credentials and authorization privileges necessary to carry out an operation. Single sign-on (SSO) systems can retrieve user credentials from the Directory Server and then issue permissions that allow the LDAP client to request operations under the identity as another user. The proxied authorization control allows client applications to securely process requests without binding or re-authenticating to the server for every operation.

The Directory Server supports the proxied authorization v1 and v2 request controls. The proxied authorization v1 request control is based on early versions of the draft-weltman-ldapv3-proxy Internet draft and is available primarily for legacy systems. You should use the proxied authorization v2 request control based on RFC 4370.

The proxied authorization v2 control requests that the associated operation is performed as if it had been requested by another user. You can use this control in conjunction with add, delete, compare, extended, modify, modify DN, and search requests. In such case, the associated operation processes under the authority of the specified authorization identity rather than the identity associated with the client connection, such as the user as whom that connection is bound. Specify the target authorization identity for this control as an authzid value, either with dn:, followed by the distinguished name of the target user or u:, followed by the user name.


Because of the security risks when using the proxied authorization control, most directory servers enforce strict restrictions on users that can request this control. If a user attempts to use the proxied authorization v2 request control without the sufficient permission, the server returns a failure response with the AUTHORIZATION_DENIED result code.