Thank you for your help, now it's working. I should have read the log more closely, that's was the log said :-) Burt sometimes you just need an input from someone else. Am 23.12.19 um 09:40 schrieb Michael Ströder: > On 12/20/19 8:54 PM, Stefan Kania wrote: >> I would like to get the original DN from the user not the >> dn:*,cn=gssapi,cn=auth. So I put into my configuration: >> ----------------- >> olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth >> ldap:///dc=example,dc=net??sub?(uid=$1) >> ----------------- > > Looks correct to me. > >> Dec 20 14:42:34 ldapserver slapd[493]: => access_allowed: auth access to >> "dc=example,dc=net" "entry" requested >> [..] >> Dec 20 14:42:34 ldapserver slapd[493]: => slap_access_allowed: auth >> access denied by none(=0) >> [..] >> When I add the rule: >> ----------------- >> olcAccess: {1}to * by * read >> ----------------- >> ldapwhoami is working like I expected it: > > anonymous needs auth access to the entries and attributes used for > authz-regexp mappings. > > At minimum: > > access to > dn.subtree="dc=example,dc=net" > attrs=entry,uid > by anonymous auth > > Access control is complex. YMMV. So don't use exactly these ACLs because > they will block other access you need. I know ;-) it will be set wisely. Stefan > > Ciao, Michael. > --
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature