I think my problem at this point is that I can't seem to get back-ldap to use the authzID to try to assert another identity.
If I have the following then all operations are carried out as the binddn, which is what I would expect. idassert-bind bindmethod=simple binddn="cn=erici,dc=cc,dc=utexas,dc=edu" credentials="hithere" mode=none And if I set mode=self then I see things like the following in the logs and I gather that appropriate things are happening. ==>slap_sasl_authorized: can cn=erici,dc=cc,dc=utexas,dc=edu become (null)? ==>slap_sasl_check_authz: does cn=erici,dc=cc,dc=utexas,dc=edu match authzFrom rule in ? <==slap_sasl_check_authz: authzFrom check returning 32 <== slap_sasl_authorized: return 48 <= get_ctrls: n=1 rc=47 err="not authorized to assume identity" But I can't seem to get authzID to work as documented. When I don't specify 'mode' and I do specify authzID, I'm led to believe that I should see a bind from the binddn and then an identity assertion to the authzID. database ldap suffix dc=test uri "ldap://localhost:1389" idassert-bind bindmethod=simple binddn="cn=erici,dc=cc,dc=utexas,dc=edu" credentials="hithere" authzID="dn:cn=config,dc=test" idassert-authzFrom "dn.regex:.*" Instead, the connection gets relayed without using the binddn or the authzID as if I hadn't used idassert-bind at all. Am I missing something? -- Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342