rick@openfortress.nl wrote:

This is in fact what I was looking for; whether OpenLDAP supports this per-operation Proxy Authz Control.

So you can try yourself. The rootdn can always do this.

The help of ldapsearch tool says:

-e [!]<ext>[=<extparam>] general extensions (! indicates criticality) [..] [!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")

Ciao, Michael.