Edgar Fuß wrote:
Michael Ströder wrote:
That is for proxy authorization. Do you really need that?
I suppose so, at least the documentation under http://www.openldap.org/doc/admin24/overlays.html#Chaining seems to instruct me to do so.
Hmm, yes. This text implicates use of proxy authz.
But slapo-chain(5) mentions directive 'chain-rebind-as-user' which you probably want to set to TRUE. There is no descriptive text for this directive yet (=> filed ITS#6305).
So please try this and report back. I don't have the time today to test it myself.
Why is looking at the schema a waste of time?
I was looking /for/ a (non-existent) schema containing the (operational) authzTo attribute. To me, taht looks like I've wasted my time. Or am I wrong again in my assumption that authzTo is an operational attribute?
As Dieter already noted it's declared hard-coded in the C code not in the subschema config files. So looking only at the config files might not be sufficient. => Use a decent schema browser to examine the actual subschema subentry of your server installation.
Ciao, Michael.