From 0eb251002c9db48c6df5cbdb460de28d7e4c5519 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Wed, 24 Jun 2015 15:55:17 +0000
Subject: [PATCH] CR-7377 OPENDJ-2110 Doc how proxy auth affects resource limits

---
 opendj-sdk/opendj-server-legacy/src/main/docbkx/admin-guide/chap-resource-limits.xml      |   23 +++++++++++++++++++++++
 opendj-sdk/opendj-server-legacy/src/main/docbkx/server-dev-guide/chap-ldap-operations.xml |   19 +++++++++++++++++++
 2 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/opendj-sdk/opendj-server-legacy/src/main/docbkx/admin-guide/chap-resource-limits.xml b/opendj-sdk/opendj-server-legacy/src/main/docbkx/admin-guide/chap-resource-limits.xml
index 3ed4f31..dd113c0 100644
--- a/opendj-sdk/opendj-server-legacy/src/main/docbkx/admin-guide/chap-resource-limits.xml
+++ b/opendj-sdk/opendj-server-legacy/src/main/docbkx/admin-guide/chap-resource-limits.xml
@@ -279,4 +279,27 @@
   <para>The example shown sets the maximum request size on the LDAP connection
   handler to 20 MB.</para>
  </section>
+
+ <section xml:id="limits-and-proxied-authz">
+  <title>Resource Limits and Proxied Authorization</title>
+
+  <para>
+   Proxied authorization uses a standard LDAP control
+   to permit an application to bind as one user
+   and then carry out LDAP operations on behalf of other users.
+  </para>
+
+  <para>
+   When using proxied authorization as described in the section on
+   <link
+    xlink:href="server-dev-guide#proxied-authz"
+    xlink:role="http://docbook.org/xlink/role/olink"
+    xlink:show="new"
+   ><citetitle>Configuring Proxied Authorization</citetitle></link>
+   know that the resource limits do not change
+   when the user proxies as another user.
+   In other words, resource limits depend on the bind DN,
+   not the proxy authorization identity.
+  </para>
+ </section>
 </chapter>
diff --git a/opendj-sdk/opendj-server-legacy/src/main/docbkx/server-dev-guide/chap-ldap-operations.xml b/opendj-sdk/opendj-server-legacy/src/main/docbkx/server-dev-guide/chap-ldap-operations.xml
index 47c4411..67ec1eb 100644
--- a/opendj-sdk/opendj-server-legacy/src/main/docbkx/server-dev-guide/chap-ldap-operations.xml
+++ b/opendj-sdk/opendj-server-legacy/src/main/docbkx/server-dev-guide/chap-ldap-operations.xml
@@ -1474,6 +1474,25 @@
    </step>
   </procedure>
 
+  <note>
+   <para>
+    When you configure resource limits as described in the chapter on
+    <link
+     xlink:href="admin-guide#chap-resource-limits"
+     xlink:role="http://docbook.org/xlink/role/olink"
+     xlink:show="new"
+    ><citetitle>Setting Resource Limits</citetitle></link>,
+    know that the resource limits do not change
+    when the user proxies as another user.
+    In other words, resource limits depend on the bind DN,
+    not the proxy authorization identity.
+    In the examples in the procedure <xref linkend="setup-proxied-authz" />
+    the resource limits would be those set for
+    <literal>cn=My App,ou=Apps,dc=example,dc=com</literal>,
+    not <literal>uid=kvaughan,ou=People,dc=example,dc=com</literal>.
+   </para>
+  </note>
+
   <para>If you need to map authorization identifiers using the
   <literal>u:</literal> form rather than using <literal>dn:</literal>, you can
   set the identity mapper with the global configuration setting,

--
Gitblit v1.10.0