Kurt Zeilenga wrote:
IIRC, if you want all authenticated users without a directory entry to be treated as anonymous, you can perform a authzid mapping through an LDAP lookup and basically force that behavior.
Actually my slapd.conf contains a authz-regexp directive for that purpose. But although there's no authz-DN found for the technical authc-DN the client is treated as authenticated. Yes, this is described in slapd.conf(5) but IMO it's wrong.
So I have to add the work-around <WHO> field Pierangelo suggested to all those ACLs.