Re: Auth access for search-based mappings?

Hi all, My OpenLDAP 2.4 test system uses Kerberos, SASL and GSSAPI. I've got person objects located in two different org. units and want to search both of them for a potential match, so I included these two statements in slapd.conf: authz-regexp uid=([^,]*),cn=example.com,cn=gssapi,cn=auth ldap:///ou=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) authz-regexp uid=([^,].*),cn=example.com,cn=gssapi,cn=auth ldap:///ou=bio,dc=example,dc=com??one?(&(uid=$1)(objectClass=person)) Unfortunately, it's not working as I hoped. If I have two test users, uid=john in ou=eng and uid=pete ou=bio, then after first authenticating them with the Kerberos kinit command, in this situation a subsequent ldapwhoami command for each will give: dn:uid=john,ou=eng,dc=example,dc=com dn:uid=pete,cn=example.com,cn=gssapi,cn=auth The second result is, of course, completely useless. However, if I change the order of two authz-regexp statements I get: dn:uid=john,cn=example.com,cn=gssapi,cn=auth dn:uid=pete,ou=bio,dc=example,dc=com Now the first result is useless. In other words, both authz-regexp statements work, but the second statement is being ignored. Why? How can I get slapd to also process the second authz-regexp statement? Thanks, Jaap