I am developing Java application that uses Active Directory as user store. It is accessing AD using UnboundID LDAP SDK. Initially, I planned to use pool of connections that would bind to AD using service account and impersonate users as needed without requiring for user name/password to be entered again. Unfortunately, AD does not seem to support Proxied Authorization Request Control (RFC 4370). It does not seem to support SASL authzId field either "Additionally, it does not permit an authorization identity to be established on the connection that is different from the authentication identity used on the connection." from https://msdn.microsoft.com/en-us/library/cc223500.aspx
Is there a way to make my solution work without replacing AD with some other directory?
Use Case: We use Active Directory as an identity store for our users. When users log in we verify their credentials against AD by executing bind, which is followed by OpenID worklfow against our Authorization Provider. After that, user is considered authenticated and authorized and issued an access token. Everything is great until we get to self-service and delegated management part. We don't want users to see anything that they are not allowed to see/modify. We achieve that by managing permissions in AD. I.e. admin user can unlock accounts. Regular user cannot. If we use service account to perform LDAP operations we lose all of the extensive security model that AD provides. We are unable to maintain a persistent connection for each logged in user because the number of users is very large and we may potentially end up with thousands of connections. We would like to maintain a pool of connections authenticated with service account and impersonate users as needed. The easiest way to achieve it is using Proxy Authorization.
