openldap proxied authorization

I went through that about a year ago, proxy authorization use to drive me crazy. So I may not have the definitive answer, but maybe I can help.

First of all: increase your loglevel on slapd ! It's verbose but it helps. Second: use ldapwhoami to test proxy authorization. The you can specify a target user with the -X option, and your proxy user in -U.

# ldapwhoami -U proxyuser -Y DIGEST-MD5 -X u:targetuser -H ldap://localhost

You should have two parameters enabled in your configuration. The olcAuthzPolicy (that you have) and the olcAuthzRegexp (used to build the SASL authentication string). Here is what I have in my configuration:

olcAuthzRegexp: "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
                "ldap:///dc=example,dc=net??sub?(uid=$1)"
olcAuthzPolicy: to

And, finally, as you stated, your proxyuser should have a authzTo attribute. Here is the definition of one of my proxy user:

dn: cn=proxyuser,dc=example,dc=net
uid: proxyuser
mail: [email protected]
sn: proxyuser
cn: proxyuser
objectClass: inetOrgPerson
objectClass: top
structuralObjectClass: inetOrgPerson
authzTo: {0}ldap:///dc=example,dc=net??sub?(objectClass=inetOrgPerson)
userPassword:: iodqwhdowihw0123hef92e=

Now that should be enough to make proxy authorization work (once again, test it with ldapwhoami). I have written a chapter on this on my wiki (SASL and proxy authorization), since I needed it to connect from cyrus-imapd and postfix to openldap. For more information, take a look at it: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:openldap:openldap_debian#sasl

After solving several config problems with Julien's help, I discovered a bug in the UnboundID LDAP SDK v2.0.0 which apparently causes modify requests to be sent without their controls. I got excellent support in their forum, they put up a new build for me within a few hours of my posting logs identifying the problem, and it sounds like it will be fixed in the 2.1.0 release. Now my code is working as intended.