Pierangelo Masarati wrote:

I don't see an error in OpenLDAP software here. authz regexp matching is designed to succeed only if the identity is univoquely resolved to exactly one DN. I'm afraid but I cannot even imagine how slapd could decide to pick one out of many DNs when authenticating a user; I guess noone else can.

p.

Matched dn's are unique, as they describing the same Entry:

dn: uid=works,dc=example,dc=org objectClass: extensibleObject uid: works

dn: cn=worksalso,dc=example,dc=org objectClass: extensibleObject cn: worksalso

dn: uid=fails,dc=example,dc=org objectClass: extensibleObject uid: fails cn: fails

"(|(cn=works)(uid=works))" and "(|(cn=worksalso)(uid=worksalso))" matching either attribute, whereas "(|(cn=works)(uid=works))" matches twice, but describes the same object.

ldapsearching for "(|(cn=fails)(uid=fails))" will also return only the one and unique entry "uid=fails,dc=example,dc=org"

A