Am Fri, 1 May 2015 09:58:35 -0700 schrieb Ryan Lovett rylo@berkeley.edu:
According to http://www.openldap.org/faq/data/cache/532.html, idassert-authzFrom is not needed in this case. Here is the example:
To allow (dumb) clients that do not perform bind to access servers that
require bind (and some ssf) by asserting some static identity (the dn:<dn>, or even the anonymous mode, to implement the "sandbox" user described above) without any idassert-authzFrom rule in place: database ldap suffix "dc=example,dc=com" uri "ldap://ldap.example.com" idassert-bind bindmethod=simple binddn="cn=Proxy,dc=example,dc=com" credentials=proxy authzID="dn:cn=Sandbox,dc=example,dc=com" If no authzID is given, and mode is set to none (for instance because the remote server does not support the proxyAuthz control), the clients will be authorized as "cn=Proxy,dc=example,dc=com" even if they actually connected anonymously to the proxy. Beware that this may be a significant security breach, if that identity is granted anything but anonymous read privileges.
[...] did you create a authz-policy rule in slapd.conf? did you add an autzTo attribute to the entry cn=Proxy,dc=example,dc=com=
-Dieter