.I authzFrom
permissions. Note, however, that the ID assertion feature is mostly
useful when the asserted identities do not exist on the remote server.
-When
-.I bindmethod
-is
-.BR SASL ,
-the
-.I authcDN
-must be specified in addition to the
-.IR authcID ,
-although it is not used within the authentication process.
Flags can be
-\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical\fP
+\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical,dn\-{authzid|whoami}\fP
When the
.B override
.B proxy\-authz\-critical
is recommended.
+When the
+.B dn\-authzid
+flag is used, RFC 3829 LDAP Authorization Identity Controls
+is used to retrieve the identity associated to the SASL identity;
+when the
+.B dn\-whoami
+flag is used, RFC 4532 LDAP Who am I? Operation is performed
+after the bind for the same purpose.
+
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert