https://bugs.openldap.org/show_bug.cgi?id=9657
--- Comment #4 from Michael Ströder michael@stroeder.com --- On 8/30/21 18:49, openldap-its@openldap.org wrote:
I expect that the simple bind
ldapwhoami -x -D "uid=lui.veve;ou=persons;o=AEGEE" -w up1 -H ldap://localhost/
is in all matters identical to
ldapwhoami -Y LOGIN -U"lui.veve" -w up1 -H ldap://localhost/
and the whole purpose of olcAuthzRegexp is to rewrite the username.
That's a false assumption.
SASL has to find the user's entry
Simple bind does not have to find the user’s entry?
Yes.
To be very clear on this: I would be really angry if the current behaviour would be changed because it will seriously break security properties of existing systems (e.g. https://ae-dir.com and all my other customer setups).
It's easy for you to simply fix your ACLs and be done with it.