Jaap Winius wrote:
Quoting Howard Chu hyc@symas.com:
You can't. As the slapd.conf(5) manpage states, the matching process stops at the first rule that matches the incoming SASL name. ...
Okay. I saw that too, but confused the SASL name with the SASL user name. So, the first of my two authz-regexp statements was always a match, which stopped the process.
... If you want to use multiple authz-regexp statements, they must each have unique "match" portions because any duplicates will be ignored.
And mine were duplicates, since the replacement pattern is not part of the match (search pattern).
For your case, you need to come up with a single search specification...
Where can I find information on how to write LDAP URL search specifications? For example, RFC2255 doesn't say much about it (e.g. no mention of ampersand or pipe characters).
... that will handle both branches of your search. One possible solution would be to use entryDN in the filter:
authz-regexp uid=([^,]*),cn=example.com,cn=gssapi,cn=auth ldap:///dc=example,dc=com??sub? (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com) (entryDN:dnSubtree:=ou=bio,dc=example,dc=com)) (uid=$1)(objectclass=person))
Unfortunately, this doesn't work at all. Using ldapwhoami I now get:
dn:uid=john,cn=example.com,cn=gssapi,cn=auth dn:uid=pete,cn=example.com,cn=gssapi,cn=auth
uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead?
Ciao, Michael.