It appears that one of the more basic modes of operation is now missing in back-ldap: if a direct bind is performed, then subsequent operations using that identity should not do any proxyAuthz/identity assertion at all. They should just re-use the already bound connection. I expected that this was the behavior for idassert mode=legacy but apparently that's not the case.
Trawling thru the old discussions (from May 2004) wasn't too enlightening. I suspect there's a bug here, but I'm not sure which of the assert modes to fix.
Also, the slapd-ldap(5) manpage now says "Direct binds are always proxied" but it's not clear what the significance of that statement is. I.e., yes, back-ldap has always passed direct binds through straight to the remote server. Since this sentence occurs within the description of mode=legacy, are we to imply that this is now only true for legacy mode, and in other modes direct Binds may be munged in some other way?
The function ldap_back_is_proxy_authz() behaves as if the latter were true - it returns 1 even if the op is a Bind request. But in fact the Bind will always be sent thru to the remote server. What happens next, though, depends on these various settings. I.e., after the connection has bound successfully, it might be marked as bound with that ID, and available for further use by that ID, or it may get left marked as anonymous, to be re-used for future Bind requests.
The code and the manpage are both pretty unclear on what settings should be used to get this combination of behavior: assert identity on any ID that was not authenticated by this backend passthru anything that was authenticated by this backend