A product authenticates to eDirectory by using SASL EXTERNAL over IPC. It proves that it runs with the same POSIX identity and this is mapped to the domain controller account DN. The domain controller account is allowed to impersonate arbitrary users, so that it can operate with least privileges when performing operations on behalf of RPC clients.