diff --git a/tests/data/test-whoami.ldif b/tests/data/test-whoami.ldif
index a5db51ed1132c57d22d23bdf5848fcceb9dac048..38d8dc06feb2560a30ba4b8504b2ad001f993eb8 100644
--- a/tests/data/test-whoami.ldif
+++ b/tests/data/test-whoami.ldif
@@ -5,6 +5,7 @@ objectclass: top
 objectclass: organization
 objectclass: domainRelatedObject
 objectclass: dcobject
+objectClass: simpleSecurityObject
 dc: example
 l: Anytown, Michigan
 st: Michigan
@@ -15,6 +16,8 @@ description: The Example, Inc. at Anytown
 postaladdress: Example, Inc. $ 535 W. William St. $ Anytown, MI 48109 $ US
 telephonenumber: +1 313 764-1817
 associateddomain: example.com
+userpassword:: ZXhhbXBsZQ==
+authzTo: dn:
 dn: ou=People,dc=example,dc=com
 objectclass: organizationalUnit
diff --git a/tests/scripts/test014-whoami b/tests/scripts/test014-whoami
index ae9fd28191b95d278fb9537e651b9cdfa40b2e5f..fec4bf9ae4c44a9137dd401035784ada191edd98 100755
--- a/tests/scripts/test014-whoami
+++ b/tests/scripts/test014-whoami
@@ -102,7 +102,7 @@ if test $RC != 0 ; then
 	exit $RC
-# authzFrom: someone else => njorn
+# authzFrom: someone else => bjorn
 echo "Testing authzFrom..."
 BINDDN="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
@@ -388,12 +388,40 @@ if test $RC != 1 ; then
 	exit $RC
+BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
+echo "Testing ldapwhoami as ${BINDDN} for ${AUTHZID} (no authzTo; should fail)..."
+	-e \!authzid="$AUTHZID"
+if test $RC != 1 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+echo "Testing ldapwhoami as ${BINDDN} for ${AUTHZID} (dn.exact; should succeed)..."
+	-e \!authzid="$AUTHZID"
+if test $RC != 0 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 echo ">>>>> Test succeeded"
 exit 0
-## Note to developers: the command
+## Note to developers: when SLAPD_DEBUG=-1 the command
 ## awk '/^do_extended$/ {if (c) {print c} c=0} /<===slap_sasl_match:/ {c++} END {print c}' testrun/slapd.1.log
-## must return consecutive numbers from 1 to 9 twice to indicate
-## that the authzFrom and authzTo rules applied in the right order.
+## must return the sequence 1 2 3 4 5 6 7 8 9 9 1 2 3 4 5 6 7 8 9 9 9 1
+## to indicate that the authzFrom and authzTo rules applied in the right order.