Edgar Fuß wrote: > Michael Ströder wrote: >> >> That is for proxy authorization. Do you really need that? > > I suppose so, at least the documentation under > http://www.openldap.org/doc/admin24/overlays.html#Chaining > seems to instruct me to do so.
Hmm, yes. This text implicates use of proxy authz. But slapo-chain(5) mentions directive 'chain-rebind-as-user' which you probably want to set to TRUE. There is no descriptive text for this directive yet (=> filed ITS#6305). So please try this and report back. I don't have the time today to test it myself. >> Why is looking at the schema a waste of time? > > I was looking /for/ a (non-existent) schema containing the (operational) > authzTo attribute. To me, taht looks like I've wasted my time. Or am I > wrong again in my assumption that authzTo is an operational attribute? As Dieter already noted it's declared hard-coded in the C code not in the subschema config files. So looking only at the config files might not be sufficient. => Use a decent schema browser to examine the actual subschema subentry of your server installation. Ciao, Michael.
