Hi
 
Certain of our users can bind themselves i.e. web applications use the username and password of the user who wants to login to bind to the openldap server instead of using a dedicated bind user. This currently only works with the username which is also the dn of the object. All the objects have an attribute "mail" and I would like to offer the possibility to bind using the email address instead of the username. With the current configuration the servers responds to such a bind request with: ldap_bind: Invalid credentials (49)
 
Maybe I did not correctly interpret the man page slapd.access but as far as I understand it I should be able to solve this using dnattr=mail as the "who" part in the olcAccess. I did try it like this:
 
olcAccess: {4}to attrs=userPassword by dnattr=mail auth
 
But openldap won't accept that configuration change and outputs the following error message:

ldap_modify: Other (e.g., implementation specific) error (80)
    additional info: <olcAccess> handler exited with 1
 
I also tried with dnattr="mail" having mail in quotation marks as I've seen in some examples on the web. I can add and delete olcAccess rules without problem otherwise and also made sure there are no trailing spaces or any other superfluous characters in my ldif. 
 
Did I misunderstand the man page and this only works with the member attribute as in most examples (though I did find other examples using different attributes)? Any idea why openldap is not happy with my olcAccess rule? Any hint is appreciated!
 
Best,
Cyril Stoll