Jaap Winius wrote: > Quoting Howard Chu <[email protected]>: > >> You can't. As the slapd.conf(5) manpage states, the matching process >> stops at the first rule that matches the incoming SASL name. ... > > Okay. I saw that too, but confused the SASL name with the SASL user > name. So, the first of my two authz-regexp statements was always a > match, which stopped the process. > >> ... If you want to use multiple authz-regexp statements, they must >> each have unique "match" portions because any duplicates will be ignored. > > And mine were duplicates, since the replacement pattern is not part of > the match (search pattern). > >> For your case, you need to come up with a single search specification... > > Where can I find information on how to write LDAP URL search > specifications? > For example, RFC2255 doesn't say much about it (e.g. no mention of > ampersand or pipe characters). > >> ... that will handle both branches of your search. One possible solution >> would be to use entryDN in the filter: > > authz-regexp > uid=([^,]*),cn=example.com,cn=gssapi,cn=auth > ldap:///dc=example,dc=com??sub? > (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com) > (entryDN:dnSubtree:=ou=bio,dc=example,dc=com)) > (uid=$1)(objectclass=person)) > > Unfortunately, this doesn't work at all. Using ldapwhoami I now get: > > dn:uid=john,cn=example.com,cn=gssapi,cn=auth > dn:uid=pete,cn=example.com,cn=gssapi,cn=auth
uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead? Ciao, Michael.
