Jaap Winius wrote: > Hi all, > > My OpenLDAP 2.4 test system uses Kerberos, SASL and GSSAPI. I've got > person objects located in two different org. units and want to search > both of them for a potential match, so I included these two statements > in slapd.conf: > > authz-regexp > uid=([^,]*),cn=example.com,cn=gssapi,cn=auth > ldap:///ou=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) > > authz-regexp > uid=([^,].*),cn=example.com,cn=gssapi,cn=auth > ldap:///ou=bio,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) > > Unfortunately, it's not working as I hoped. If I have two test users, > uid=john in ou=eng and uid=pete ou=bio, then after first > authenticating them with the Kerberos kinit command, in this situation > a subsequent ldapwhoami command for each will give: > > dn:uid=john,ou=eng,dc=example,dc=com > dn:uid=pete,cn=example.com,cn=gssapi,cn=auth > > The second result is, of course, completely useless. However, if I > change the order of two authz-regexp statements I get: > > dn:uid=john,cn=example.com,cn=gssapi,cn=auth > dn:uid=pete,ou=bio,dc=example,dc=com > > Now the first result is useless. In other words, both authz-regexp > statements work, but the second statement is being ignored. Why? How > can I get slapd to also process the second authz-regexp statement?
You can't. As the slapd.conf(5) manpage states, the matching process stops at the first rule that matches the incoming SASL name. If you want to use multiple authz-regexp statements, they must each have unique "match" portions because any duplicates will be ignored. For your case, you need to come up with a single search specification that will handle both branches of your search. One possible solution would be to use entryDN in the filter: ldap:///dc=example,dc=com??sub? (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com) (entryDN:dnSubtree:ou=bio,dc=example,dc=com)) (uid=$1)(objectclass=person)) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
