First, I actually meant of course "authzid" in ITS After some tests, I found out that the filter expression in authzTo- Attribute of the authentication entity caused the Problems: While authzTo: ldap:///ou=users,ou=accounts,dc=dom??one?(uid=*) does not work (with uid as rdn), authzTo: ldap:///ou=users,ou=accounts,dc=dom??one?(objectClass=*) does. -Mat