rick@openfortress.nl wrote: > This is in fact what I was looking for; whether OpenLDAP supports this > per-operation Proxy Authz Control. So you can try yourself. The rootdn can always do this. The help of ldapsearch tool says: -e [!]<ext>[=<extparam>] general extensions (! indicates criticality) [..] [!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>") Ciao, Michael.