Re: Auth access for search-based mappings?

Quoting Howard Chu <hyc(a)symas.com&gt;: > You can't. As the slapd.conf(5) manpage states, the matching process > stops at the first rule that matches the incoming SASL name. ... Okay. I saw that too, but confused the SASL name with the SASL user name. So, the first of my two authz-regexp statements was always a match, which stopped the process. > ... If you want to use multiple authz-regexp statements, they must > each have unique "match" portions because any duplicates will be ignored. And mine were duplicates, since the replacement pattern is not part of the match (search pattern). > For your case, you need to come up with a single search specification... Where can I find information on how to write LDAP URL search specifications? For example, RFC2255 doesn't say much about it (e.g. no mention of ampersand or pipe characters). > ... that will handle both branches of your search. One possible solution > would be to use entryDN in the filter: authz-regexp uid=([^,]*),cn=example.com,cn=gssapi,cn=auth ldap:///dc=example,dc=com??sub? (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com) (entryDN:dnSubtree:=ou=bio,dc=example,dc=com)) (uid=$1)(objectclass=person)) Unfortunately, this doesn't work at all. Using ldapwhoami I now get: dn:uid=john,cn=example.com,cn=gssapi,cn=auth dn:uid=pete,cn=example.com,cn=gssapi,cn=auth