Re: Anonymously binding despite '-U ....' to ldapsearch

[Turbo Fredriksson <turbo@bayour.com>]

>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:

    Howard> Judging from your ACLs, you're still using the old format
    Howard> for SASL DNs. See the 2.1 Admin Guide for details on the
    Howard> new SASL DN format.

    Howard> In OpenLDAP 2.1.12, the SASL authorization DN is logged
    Howard> with AUTHZ keyword instead of BIND. This inconsistency has
    Howard> been fixed in 2.1.13, using BIND throughout. So, one of
    Howard> the reasons you're not seeing the DN you expect is because
    Howard> you're grepping for the wrong log message.

I found out that using:

----- s n i p -----
sasl-regexp
        uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
        uid=$1,ou=People,dc=bayour,dc=com
[...]
access to * by dn="uid=turbo,ou=People,dc=bayour,dc=com" write
----- s n i p -----

gave the attribute I was looking for. Now I come to the more
difficult one (I really _HATE_ regexp :). My users i are also
located under other branches than 'dc=bayour.com'. How would
I write an sasl-regexp that will catch this?

Example: 
----- s n i p -----
dn: uid=malin,ou=People,dc=sundqvist,dc=com
        access to '.*,dc=sundqvist,dc=com'
        access to '.*,dc=fredriksson,dc=com'
        access to '.*,dc=bayour,dc=com'

dn: uid=jonathan,ou=People,dc=intelligence-5,dc=com
        access to '.*,dc=intelligence-5,dc=com'

dn: uid=jens,ou=People,dc=agby,dc=com
        access to '.*,dc=agby,dc=com'
----- s n i p -----

The 'uid=XXX' is the same as the Kerberos principal/username so
that might help things...