Either you provide an all-OpenLDAP setup, consisting of proxy, remote server and operation sequence that clearly shows the issue, so that we can reproduce and track it, or you should rather investigate what's happening between the proxy and the remote server, e.g. by providing a tcpdump of the communications resulting in the error you reported.

Sorry, I missed your intermediate posting with a trace of the problem (either I didn't get that message or I simply overlooked it; I've found it right now on the ITS).

I see that the connection is retried anonymously, which is incorrect. This issue is known, and it has been fixed in HEAD code by using identity assertion to retry non-anonymous connections. Another option would be to set "rebind-as-user", so that user credentials are saved and used to retry non-anonymous connections. Personally, I'd prefer the idassert approach, but "rebind-as-user" could be useful in case the remote server does not support proxyAuthz, or in case your applications need to use proxyAuthz themselves.

Can you try either (or both) approaches? The former requires you to build HEAD (or re24, since last night it was sync'ed with HEAD) code.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------