Hi Quanah,

Thanks for the report. However, the EXTERNAL mechanism is in fact a SASL mechanism, just implemented directly in OpenLDAP (vs other SASL mechanisms that OpenLDAP supports via Cyrus-SASL). The location in the admin guide is correct.

Yes, thanks, Howard also pointed that out, and I learnt.

If you read RFC 4370, Section 1 clearly notes that it is a part of SASL:

"The Lightweight Directory Access Protocol [LDAPV3] supports the use of the Simple Authentication and Security Layer [SASL] for authentication and for supplying an authorization identity distinct from the authentication identity, where the authorization identity applies to the whole LDAP session."

Ehm, it doesn't actually state that Proxied Authz is part of SASL. It just continues to state that it is on a per-operation basis, and to me it reads like an independent mechanism, at least as far as the protocol is concerned. Although it can be easily imagined that it were to share (lots of) code with SASL EXTERNAL of course, but that would be an implementation choice. Or am I still not reading it correctly?

This is in fact what I was looking for; whether OpenLDAP supports this per-operation Proxy Authz Control. Aside from the above being properly located, I am still missing a remark about it in the Manual.

Thanks, -Rick