Control which defines the Proxy Authorization request. More information is available in
RFC 4370. Below we have included section 3 of the RFC describing
this control:
3. Proxy Authorization Control
A single Proxy Authorization Control may be included in any search,
compare, modify, add, delete, or modify Distinguished Name (DN) or
extended operation request message. The exception is any extension
that causes a change in authentication, authorization, or data
confidentiality [RFC2829], such as Start TLS [LDAPTLS] as part of the
controls field of the LDAPMessage, as defined in [RFC2251].
The controlType of the proxy authorization control is
"2.16.840.1.113730.3.4.18".
The criticality MUST be present and MUST be TRUE. This requirement
protects clients from submitting a request that is executed with an
unintended authorization identity.
Clients MUST include the criticality flag and MUST set it to TRUE.
Servers MUST reject any request containing a Proxy Authorization
Control without a criticality flag or with the flag set to FALSE with
a protocolError error. These requirements protect clients from
submitting a request that is executed with an unintended
authorization identity.
The controlValue SHALL be present and SHALL either contain an authzId
[AUTH] representing the authorization identity for the request or be
empty if an anonymous association is to be used.
The mechanism for determining proxy access rights is specific to the
server's proxy authorization policy.
If the requested authorization identity is recognized by the server,
and the client is authorized to adopt the requested authorization
identity, the request will be executed as if submitted by the proxy
authorization identity; otherwise, the result code 123 is returned.