Quoting Howard Chu <hyc(a)symas.com>:
You can't. As the slapd.conf(5) manpage states, the matching
stops at the first rule that matches the incoming SASL name. ...
Okay. I saw that too, but confused the SASL name with the SASL user
name. So, the first of my two authz-regexp statements was always a
match, which stopped the process.
... If you want to use multiple authz-regexp statements, they must
each have unique "match" portions because any duplicates will be ignored.
And mine were duplicates, since the replacement pattern is not part of
the match (search pattern).
For your case, you need to come up with a single search
Where can I find information on how to write LDAP URL search specifications?
For example, RFC2255 doesn't say much about it (e.g. no mention of
ampersand or pipe characters).
... that will handle both branches of your search. One possible
would be to use entryDN in the filter:
Unfortunately, this doesn't work at all. Using ldapwhoami I now get: