By default, the authz-attribute property has the default value of ds-authz-map-to-dn, which is an attribute reserved for this purpose.

If a user entry has a value for ds-authz-map-to-dn, whether it's explicitly contained in the entry or only present with a virtual attribute, that value is used to specify the alternate authorization identity for the user. Otherwise, the default authorization identity, as indicated with the authz-dn configuration property, is used to determine the alternate authorization identity.

  1. Set the authz-dn property of the entry-balancing request processor configuration using the dsconfig tool.
    Note:

    If any user among the balanced entries doesn't have an alternate authorization identity defined, the PingDirectoryProxy server uses the value of the authz-dn property of the entry-balancing request processor configuration.

    $ bin/dsconfig set-request-processor-prop \
      --processor-name dc_example_dc_com-eb-req-processor \
      --set "authz-dn:uid=normal user,dc=example,dc=com"
  2. Create an auxiliary object class containing ds-authz-map-to-dn as an allowed attribute.
  3. Add the auxiliary object class value to all user entries of interest.
  4. Add the following attribute value to a server-admin user.
    ds-authz-map-to-dn: uid=server-admin,dc=example,dc=com