The Directory Server supports the Proxied Authorization Control (RFC 4370) to allow an authorized LDAP client to authenticate to the server as another user.
Typically, LDAP servers are deployed as backend authentication systems that store user credentials and authorization privileges necessary to carry out an operation. Single sign-on (SSO) systems can retrieve user credentials from the Directory Server and then issue permissions that allow the LDAP client to request operations under the identity as another user. The proxied authorization control allows client applications to securely process requests without binding or re-authenticating to the server for every operation.
The Directory Server supports the proxied authorization v1 and v2 request
controls. The proxied authorization v1 request control is based on early versions of the
draft-weltman-ldapv3-proxy
Internet draft and is available primarily
for legacy systems. You should use the proxied authorization v2 request control based on
RFC 4370.
The proxied authorization v2 control requests that the associated operation is performed as
if it had been requested by another user. You can use this control in conjunction with add,
delete, compare, extended, modify, modify DN, and search requests. In such case, the
associated operation processes under the authority of the specified authorization identity
rather than the identity associated with the client connection, such as the user as whom
that connection is bound. Specify the target authorization identity for this control as an
authzid
value, either with dn:
, followed by the
distinguished name of the target user or u:
, followed by the user
name.
Because of the security risks when using the proxied authorization control, most
directory servers enforce strict restrictions on users that can request this control. If
a user attempts to use the proxied authorization v2 request control without the
sufficient permission, the server returns a failure response with the
AUTHORIZATION_DENIED
result code.