diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf
index 38044b651b94b0d86bc8047907e51cea0fdd68e2..8dcfcc53908e4bc8db8d3c1a94e99e45e8cbb120 100644
--- a/doc/guide/admin/security.sdf
+++ b/doc/guide/admin/security.sdf
@@ -117,15 +117,18 @@ The LDAP "simple" method has three modes of operation:
 * unauthenticated, and
 * user/password authenticated.
 
-Anonymous access is obtained by providing no name and no password
-to the "simple" bind operation.  Unauthenticated access is obtained
-by providing a name but no password.  Authenticated access is obtain
-by providing a valid name and password.
+Anonymous access is requested by providing no name and no password
+to the "simple" bind operation.  Unauthenticated access is requested
+by providing a name but no password.  Authenticated access is
+requested by providing a valid name and password.
 
 An anonymous bind results in an {{anonymous}} authorization
 association.  Anonymous bind mechanism is enabled by default, but
 can be disabled by specifying "{{EX:disallow bind_anon}}" in
-{{slapd.conf}}(5).
+{{slapd.conf}}(5).  Note that disabling the anonymous bind mechanism
+does not prevent anonymous access to the directory.  To require
+authentication to access the directory, one should instead
+specify "{{EX:require authc}}".
 
 An unauthenticated bind also results in an {{anonymous}} authorization
 association.  Unauthenticated bind mechanism is disabled by default,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 3352e01d4aae20cdda490cb8bd1b655531a7895e..c0b0058dc6156216ce1c63d0d232fcc4d2614a07 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -410,7 +410,8 @@ Base scoped search requests with an empty base DN are not affected.
 Specify a set of features (separated by white space) to
 disallow (default none).
 .B bind_anon
-disables acceptance of anonymous bind requests.
+disables acceptance of anonymous bind requests.  Note that this setting
+does not prohibit anonymous directory access (See "require authc").
 .B bind_simple
 disables simple (bind) authentication.
 .B tls_2_anon
diff --git a/servers/slapd/back-bdb/referral.c b/servers/slapd/back-bdb/referral.c
index 97305f9f54ea0d0b0bf2560cc2b749c610aaf065..168da4677d54275fcad90ddae900b930be368ef7 100644
--- a/servers/slapd/back-bdb/referral.c
+++ b/servers/slapd/back-bdb/referral.c
@@ -91,8 +91,11 @@ dn2entry_retry:
 				(long) op->o_tag, op->o_req_dn.bv_val, e->e_name.bv_val );
 
 			if( is_entry_referral( e ) ) {
+				BerVarray ref = get_entry_referrals( op, e );
 				rc = LDAP_OTHER;
-				rs->sr_ref = get_entry_referrals( op, e );
+				rs->sr_ref = referral_rewrite( ref, NULL,
+					&op->o_req_dn, LDAP_SCOPE_DEFAULT );
+				ber_bvarray_free( ref );
 				if ( rs->sr_ref ) {
 					rs->sr_matched = ber_strdup_x(
 					e->e_name.bv_val, op->o_tmpmemctx );
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index d43d13df336b6f1ae1333bfc1bdfe7ee2c13603b..44d621d45c383e48e23dd3eaffd5b448bff98cbf 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -129,10 +129,12 @@ ldap_back_bind( Operation *op, SlapReply *rs )
 			ldap_back_proxy_authz_bind( lc, op, rs, LDAP_BACK_SENDERR );
 			if ( !LDAP_BACK_CONN_ISBOUND( lc ) ) {
 				rc = 1;
-				goto done;
 			}
+			goto done;
 		}
 
+		/* rebind is now done inside ldap_back_proxy_authz_bind()
+		 * in case of success */
 		LDAP_BACK_CONN_ISBOUND_SET( lc );
 		ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn );
 
@@ -655,15 +657,11 @@ retry_lock:
 		} else {
 			BER_BVZERO( &lc->lc_cred );
 			BER_BVZERO( &lc->lc_bound_ndn );
-#if 0
-			/* FIXME: if we set lc_bound_ndn = o_ndn
-			 * we end up with a bind with DN but no password! */
 			if ( !BER_BVISEMPTY( &op->o_ndn )
 				&& SLAP_IS_AUTHZ_BACKEND( op ) )
 			{
 				ber_dupbv( &lc->lc_bound_ndn, &op->o_ndn );
 			}
-#endif
 		}
 
 #ifdef HAVE_TLS
@@ -915,9 +913,9 @@ retry_lock:;
 	 * It allows to use SASL bind and yet proxyAuthz users
 	 */
 	if ( op->o_conn != NULL &&
-			!op->o_do_not_cache &&
-			( BER_BVISNULL( &lc->lc_bound_ndn ) ||
-			  ( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) )
+		!op->o_do_not_cache &&
+		( BER_BVISNULL( &lc->lc_bound_ndn ) ||
+			( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) )
 	{
 		(void)ldap_back_proxy_authz_bind( lc, op, rs, sendok );
 		goto done;
@@ -970,7 +968,7 @@ retry_lock:;
 
 retry:;
 	rs->sr_err = ldap_sasl_bind( lc->lc_ld,
-			lc->lc_bound_ndn.bv_val,
+			BER_BVISNULL( &lc->lc_cred ) ? "" : lc->lc_bound_ndn.bv_val,
 			LDAP_SASL_SIMPLE, &lc->lc_cred,
 			NULL, NULL, &msgid );
 
@@ -1076,7 +1074,8 @@ ldap_back_default_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
 
 	/* FIXME: add checks on the URL/identity? */
 
-	return ldap_sasl_bind_s( ld, lc->lc_bound_ndn.bv_val,
+	return ldap_sasl_bind_s( ld,
+			BER_BVISNULL( &lc->lc_cred ) ? "" : lc->lc_bound_ndn.bv_val,
 			LDAP_SASL_SIMPLE, &lc->lc_cred, NULL, NULL, NULL );
 }
 
@@ -1491,13 +1490,14 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b
 
 	switch ( li->li_idassert_authmethod ) {
 	case LDAP_AUTH_NONE:
-		LDAP_BACK_CONN_ISBOUND_SET( lc );
-		goto done;
+		rc = LDAP_SUCCESS;
+		break;
 
 	case LDAP_AUTH_SIMPLE:
 		rs->sr_err = ldap_sasl_bind( lc->lc_ld,
 				binddn.bv_val, LDAP_SASL_SIMPLE,
 				&bindcred, NULL, NULL, &msgid );
+		rc = ldap_back_op_result( lc, op, rs, msgid, 0, sendok );
 		break;
 
 	default:
@@ -1510,9 +1510,21 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b
 		goto done;
 	}
 
-	rc = ldap_back_op_result( lc, op, rs, msgid, 0, sendok );
 	if ( rc == LDAP_SUCCESS ) {
+		/* set rebind stuff in case of successful proxyAuthz bind,
+		 * so that referral chasing is attempted using the right
+		 * identity */
 		LDAP_BACK_CONN_ISBOUND_SET( lc );
+		ber_dupbv( &lc->lc_bound_ndn, &binddn );
+
+		if ( LDAP_BACK_SAVECRED( li ) ) {
+			if ( !BER_BVISNULL( &lc->lc_cred ) ) {
+				memset( lc->lc_cred.bv_val, 0,
+						lc->lc_cred.bv_len );
+			}
+			ber_bvreplace( &lc->lc_cred, &bindcred );
+			ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc );
+		}
 	}
 done:;
 	return LDAP_BACK_CONN_ISBOUND( lc );
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index c600c6d84999135d65c3c50a2528b8ebdb8bf9f3..adfb0167467a764812fdcec7f5af7e594784b2b7 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -59,7 +59,6 @@
 LDAP_BEGIN_DECL
 
 #define SLAP_LIGHTWEIGHT_DISPATCHER /* experimental slapd architecture */
-#define SLAP_MULTI_CONN_ARRAY
 #ifdef LDAP_PVT_THREAD_POOL_SEM_LOAD_CONTROL
 #define SLAP_SEM_LOAD_CONTROL
 #endif