Configure the data source to expect proxy authorization controls of either version 1 or version 2.
For example, configure the data source to expect proxy authorization controls of version 1.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-use-v1:true |
Alternatively, configure the data source to expect proxy authorization controls of version 2.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-use-v1:false |
Configure the data source to authenticate to a back-end LDAP server by using proxy authorization.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-proxy-auth |
To configure a data source to authenticate to a back-end LDAP server by using proxy authorization for write operations only, run this command:
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-proxy-auth-for-write |
When write operations only are performed with a proxy authorization control, the client identity is not forwarded to the LDAP server for read requests. For more information about forwarding requests without the client identity, see Forwarding Requests Without the Client Identity.
Configure the data source with the bind credentials of Directory Proxy Server.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ bind-dn:DPS-bind-dn bind-pwd-file:filename |
Configure the data source with the timeout.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-check-timeout:value |
Directory Proxy Server verifies that the client DN has the relevant ACIs for proxy authorization by using the getEffectiveRights command. The result is cached in Directory Proxy Server and renewed when the proxied-auth-check-timeout expires.
If necessary, restart the instance of Directory Proxy Server for the changes to take effect.
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.