https://bugs.openldap.org/show_bug.cgi?id=7084

--- Comment #3 from Michael Ströder michael@stroeder.com --- Maybe my original comment was not clear enough.

Of course it is sufficient for most use-cases to just check authz-DN != entryDN.

My suggestion was to define a new attribute for a pwdPolicy entry for defining authz-IDs considered to be an administrator - kind of an additional constraint to the condition above. The syntax could be similar or the same to that already implemented for authzTo/authzFrom attributes. But no proxy authorization allowed at all.