Utilizing IBM Directory Server proxy authorization (impersonation) within Web applications

Web applications providing gateway access to LDAP services, such as
an enterprise-wide phone and mail directory, are usually
designed to authenticate using an LDAP "superuser" account.

As a result, the user reads and updates the directory according
to the rights of that high-privileged account
instead of his/her own LDAP privileges.

IBM Tivoli Directory Server offers a powerful
feature, known as proxied authorization (RFC 4370),
which enables programmers to write applications
that authenticates themselves using a specific account but operates
on behalf of the real user, thus delegating all
privilege enforcements to the LDAP server.