On Mon, Jun 16, 2008 at 08:06:17PM +0200, Pierangelo Masarati wrote:

Ah, OK. Note that since some point in 2.3, authorization is described by a specific syntax http://www.openldap.org/faq/data/cache/1254.html, which should probably be advertised a bit more (and moved out from the experimental OID arc).

If that is used *everywhere* for authorisation then there could well be more doc errors to correct. I am fairly sure I saw one place where the docs specifically exclude some of those forms.

I notice that '*' excludes anonymous in this spec. There is an undocumented option to 'allow' that seems relevant: proxy_authz_anon - would allowing this cause anon to be included in '*' generally or is it not that simple?

Andrew