Pierangelo Masarati wrote:
I don't see an error in OpenLDAP software here. authz regexp matching is designed to succeed only if the identity is univoquely resolved to exactly one DN. I'm afraid but I cannot even imagine how slapd could decide to pick one out of many DNs when authenticating a user; I guess noone else can.
p.
Matched dn's are unique, as they describing the same Entry:
dn: uid=works,dc=example,dc=org objectClass: extensibleObject uid: works
dn: cn=worksalso,dc=example,dc=org objectClass: extensibleObject cn: worksalso
dn: uid=fails,dc=example,dc=org objectClass: extensibleObject uid: fails cn: fails
"(|(cn=works)(uid=works))" and "(|(cn=worksalso)(uid=worksalso))" matching either attribute, whereas "(|(cn=works)(uid=works))" matches twice, but describes the same object.
ldapsearching for "(|(cn=fails)(uid=fails))" will also return only the one and unique entry "uid=fails,dc=example,dc=org"
What authz-regexp does is run an internal search. If the search returns exactly one entry, then there's no way it can be, say, returned twice, otherwise it would also when running aregular search. Moreover, I've recrated you scenario in 2.3.27 and HEAD, and everything seems to work as expected in all cases. I suspect something else is wrong, for example data in your DB is not like it appears. Usually, guessing and expecting is a bad practice when debugging software. Please perform offending operations with full logs on; check that your data is not duplicated (for example, you might not see duplicates because they're hidden by ACLs) and so. Unless you can show a clear malfunction of the software (which I don't see here) I'm inclined towards closing this ITS.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
-
ando@sys-net.it