On 12/20/19 8:54 PM, Stefan Kania wrote:
I would like to get the original DN from the user not the dn:*,cn=gssapi,cn=auth. So I put into my configuration:
olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth ldap:///dc=example,dc=net??sub?(uid=$1)
Looks correct to me.
Dec 20 14:42:34 ldapserver slapd[493]: => access_allowed: auth access to "dc=example,dc=net" "entry" requested [..] Dec 20 14:42:34 ldapserver slapd[493]: => slap_access_allowed: auth access denied by none(=0) [..] When I add the rule:
olcAccess: {1}to * by * read
ldapwhoami is working like I expected it:
anonymous needs auth access to the entries and attributes used for authz-regexp mappings.
At minimum:
access to dn.subtree="dc=example,dc=net" attrs=entry,uid by anonymous auth
Access control is complex. YMMV. So don't use exactly these ACLs because they will block other access you need.
Ciao, Michael.