Nothing really stupid :) I should check with the docs (and the code :) but I think you don't really need those extra rewrite stuff because the suffixmassage directive directly provides the desired behavior by default. Otherwise, you should rather use
# require that anything extra present ends with a comma; exit in case of match
rewriteRule "((.+),)?o=NCSU,c=US$" "%1ou=people,dc=ncsu,dc=edu" ":@"
I could have sworn that "something" didn't work until I put that rewriteRule in there. I'll test it again and maybe take that out.
Something interesting, and I sincerely hope I am not cursing myself by saying this, but I didn't originally have the binddn and bindpw part in there. I have, since, put them in there and so far I haven't had o=NCSU,c=US vanish on me. Here's crossing my fingers that that was the problem. ;) Anyway, I'm going to remain silent for now.. may be back if somethings are still misbehaving. Thanks everyone for your assistance (as always)!!
Binddn/pw is used for ACLs; if you use ACLs on the proxy you better set the binddn to an appoprriate user (i.e. someone who can read-access the data that's used for authentication/access control.
Daniel
--
/\\\----------------------------------------------------------------------///\
\ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// /
\_\\\ North Carolina State University - Systems Programmer ///_/
\\\ Information Technology <IT> ///
"""--------------------------------------------------------------"""