An authorization ID is an identifier that is used by a client to indicate that one or more operations should be performed under the authority of an alternate identity. This alternate authorization identity can last for a single operation (when used in conjunction with the Proxied Authorization Control), or for the entire duration of an authentication session (when used in conjunction with an appropriate SASL mechanism, like DIGEST-MD5, GSSAPI, or PLAIN SASL Mechanism).

In most cases, an authorization ID should be specified in one of the following forms:

  • The string "dn:" followed by the DN of the target user (or just the string "dn:" if the authorization identity should be that of the anonymous user).
  • The string "u:" followed by a username used to identify the user. An identity mapper will be used to map the provided username to the corresponding user LDAP Entry.

In OpenDS, the ability for a client to use an alternate authorization identity is controlled by the "proxied-auth" Privilege. In some cases, additional Access Control rights may also be required.

More Information#

There might be more information for this subject on one of the following: