diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 5d21a3c5810f60750888249cbc179651874a1cd1..ccfdedc4841b9991ce00435bdfe2da5747c7579f 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -143,7 +143,7 @@ ldap_back_conn_cmp(
 	int rc;
 	
 	/* If local DNs don't match, it is definitely not a match */
-	if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn )) )
+	if ( ( rc = ber_bvcmp( &lc1->local_dn, &lc2->local_dn ) ) )
 		return rc;
 
 	/* For shared sessions, conn is NULL. Only explicitly
@@ -226,17 +226,16 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc )
 struct ldapconn *
 ldap_back_getconn(Operation *op, SlapReply *rs)
 {
-	struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
-	struct ldapconn *lc, lc_curr;
-	LDAP *ld;
-	int is_priv = 0;
+	struct ldapinfo	*li = (struct ldapinfo *)op->o_bd->be_private;
+	struct ldapconn	*lc, lc_curr;
+	LDAP		*ld;
+	int		is_priv = 0;
 
 	/* Searches for a ldapconn in the avl tree */
 
 	/* Explicit binds must not be shared */
 	if ( op->o_tag == LDAP_REQ_BIND
-		|| (op->o_conn
-		  && (op->o_bd == op->o_conn->c_authz_backend ))) {
+		|| ( op->o_conn && op->o_bd == op->o_conn->c_authz_backend ) ) {
 		lc_curr.conn = op->o_conn;
 
 	} else {
@@ -463,7 +462,9 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 				int		freeauthz = 0;
 
 				/* if SASL supports native authz, prepare for it */
-				if ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) {
+				if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
+						( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
+				{
 					switch ( li->idassert_mode ) {
 					case LDAP_BACK_IDASSERT_OTHERID:
 					case LDAP_BACK_IDASSERT_OTHERDN:
@@ -753,7 +754,8 @@ ldap_back_proxy_authz_ctrl(
 {
 	struct ldapinfo	*li = (struct ldapinfo *) op->o_bd->be_private;
 	LDAPControl	**ctrls = NULL;
-	int		i = 0;
+	int		i = 0,
+			mode;
 	struct berval	assertedID;
 
 	*pctrls = NULL;
@@ -845,7 +847,14 @@ ldap_back_proxy_authz_ctrl(
 		rs->sr_text = "proxyAuthz not allowed within namingContext";
 	}
 
-	switch ( li->idassert_mode ) {
+	if ( op->o_do_not_cache && op->o_is_auth_check ) {
+		mode = LDAP_BACK_IDASSERT_NOASSERT;
+
+	} else {
+		mode = li->idassert_mode;
+	}
+
+	switch ( mode ) {
 	case LDAP_BACK_IDASSERT_LEGACY:
 	case LDAP_BACK_IDASSERT_SELF:
 		/* original behavior:
diff --git a/tests/data/slapd-ldapgluepeople.conf b/tests/data/slapd-ldapgluepeople.conf
index 879a9d16d43349ba99d16d26f1011cd8f5e02628..818b65e0159a68f62247e3a56c1b8899bc4c8ea9 100644
--- a/tests/data/slapd-ldapgluepeople.conf
+++ b/tests/data/slapd-ldapgluepeople.conf
@@ -41,6 +41,7 @@ authz-regexp	"^uid=([^,]+),.*" "uid=$1,ou=People,dc=example,dc=com"
 #
 
 access to attr=userpassword
+	by dn.exact="uid=proxy,ou=People,dc=example,dc=com" read
 	by self =wx
 	by anonymous =x
 
diff --git a/tests/scripts/test029-ldapglue b/tests/scripts/test029-ldapglue
index 1f8201ff8bdc01d3fb2a92a7e53bdae093565cc0..50051cda97fe99a6db0a3b13206dc7811d79c700 100755
--- a/tests/scripts/test029-ldapglue
+++ b/tests/scripts/test029-ldapglue
@@ -185,33 +185,33 @@ if test $? != 0 ; then
 fi
 
 # FIXME: this cannot work as is, because SASL bind cannot be proxied!
-#if test $USE_SASL != "no" ; then
-#	ID="bjorn"
-#	BASE="dc=example,dc=com"
-#	echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
-#	$LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
-#		-Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1
-#
-#	RC=$?
-#	if test $RC != 0 ; then
-#		echo "ldapsearch failed ($RC)!"
-#		test $KILLSERVERS != no && kill -HUP $KILLPIDS
-#		exit $RC
-#	fi
-#
-#	echo "Filtering ldapsearch results..."
-#	. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
-#	echo "Filtering original ldif used to create database..."
-#	. $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
-#	echo "Comparing filter output..."
-#	$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
-#	
-#	if test $? != 0 ; then
-#		echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed"
-#		test $KILLSERVERS != no && kill -HUP $KILLPIDS
-#		exit 1
-#	fi
-#fi
+if test $USE_SASL != "no" ; then
+	ID="bjorn"
+	BASE="dc=example,dc=com"
+	echo "Testing ldapsearch as $ID for \"$BASE\" with SASL bind and identity assertion..."
+	$LDAPSASLSEARCH -h $LOCALHOST -p $PORT1 -b "$BASE" \
+		-Q -U "$ID" -w bjorn -Y $MECH > $SEARCHOUT 2>&1
+
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapsearch failed ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+
+	echo "Filtering ldapsearch results..."
+	. $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+	echo "Filtering original ldif used to create database..."
+	. $LDIFFILTER < $LDAPGLUEOUT > $LDIFFLT
+	echo "Comparing filter output..."
+	$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
+	
+	if test $? != 0 ; then
+		echo "comparison failed - glued search with SASL bind and identity assertion didn't succeed"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit 1
+	fi
+fi
 
 test $KILLSERVERS != no && kill -HUP $KILLPIDS