AFAIK, Sun encodes the proxyAuthz requests a'la Mozilla, which is inconsistent with RFC 4370. In OpenLDAP's code there are limited provisions to handle those cases. For example, back-ldap/meta can use that encoding by the "obsolete-encoding-workaround" flag; it can also use the original specification of proxyAuthz by the "obsolete-proxy-authz" flag (I think they're both undocumented, though).
OpenLDAP clients can only request the use of the obsolete encoding.
These hacks are necessary when using SunONE, I don't know if they are with other LDAP-enabled software from Sun. We developed a custom module that allows slapd to understand both the obsolete control (no issue, since it uses a different OID) as well as the obsolete encoding (issue: it uses the RFC 4370 OID, so it is incompatible with the correct implementation).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------