Re: Auth access for search-based mappings?

[Jaap Winius <jwinius@umrk.nl>]

Hi all,

My OpenLDAP 2.4 test system uses Kerberos, SASL and GSSAPI. I've got  
person objects located in two different org. units and want to search  
both of them for a potential match, so I included these two statements  
in slapd.conf:

   authz-regexp
      uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
      ldap:///ou=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))

   authz-regexp
      uid=([^,].*),cn=example.com,cn=gssapi,cn=auth
      ldap:///ou=bio,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))

Unfortunately, it's not working as I hoped. If I have two test users,  
uid=john in ou=eng and uid=pete ou=bio, then after first  
authenticating them with the Kerberos kinit command, in this situation  
a subsequent ldapwhoami command for each will give:

   dn:uid=john,ou=eng,dc=example,dc=com
   dn:uid=pete,cn=example.com,cn=gssapi,cn=auth

The second result is, of course, completely useless. However, if I  
change the order of two authz-regexp statements I get:

   dn:uid=john,cn=example.com,cn=gssapi,cn=auth
   dn:uid=pete,ou=bio,dc=example,dc=com

Now the first result is useless. In other words, both authz-regexp  
statements work, but the second statement is being ignored. Why? How  
can I get slapd to also process the second authz-regexp statement?

Thanks,

Jaap