authz-regexp trouble, help!

[Василий Молостов <molostoff@gmail.com>]

Hi,

I have th following directive in the slapd.conf:


authz-regexp
     gidNumber=([^0][0-9]+).uidNumber=([^0][0-9]+),cn=peercred,cn=external,cn=auth
     ldapi:///ou=people,dc=local???(uidNumber=$2)


but server is unable to fetch (slap_sasl2dn: Converted SASL name to <nothing>)

here is trace output (slapd -d 2177 -h "ldapi:/// ldaps:/// ldap:///";):

50ca62b8 >>> dnPrettyNormal: <>
50ca62b8 <<< dnPrettyNormal: <>, <>
50ca62b8 do_bind: dn () SASL mech EXTERNAL
50ca62b8 ==>slap_sasl2dn: converting SASL name
gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth to a DN
50ca62b8 ==> rewrite_context_apply [depth=1]
string='gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth'
50ca62b8 ==> rewrite_rule_apply
rule='gidNumber=([^0][0-9]+).uidNumber=([^0][0-9]+),cn=peercred,cn=external,cn=auth'
string='gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth'
[1 pass(es)]
50ca62b8 ==> rewrite_context_apply [depth=1]
res={0,'ldapi:///ou=people,dc=local??sub?(uidNumber=1000)'}
50ca62b8 slap_parseURI: parsing
ldapi:///ou=people,dc=local??sub?(uidNumber=1000)
ldap_url_parse_ext(ldapi:///ou=people,dc=local??sub?(uidNumber=1000))
50ca62b8 <==slap_sasl2dn: Converted SASL name to <nothing>
50ca62b8 SASL Authorize [conn=1001]:  proxy authorization allowed authzDN=""
50ca62b8 send_ldap_sasl: err=0 len=-1
50ca62b8 do_bind: SASL/EXTERNAL bind:
dn="gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth"
sasl_ssf=0
50ca62b8 send_ldap_response: msgid=1 tag=97 err=0

Direct sasl authz mapping works fine, but URI does not, what's wrong
with this stuff?

How I can check URI correctness for slapd or get tracing info from
ldap_url_parse_ext/slap_sasl2dn about why they returned nothing?

With wich access rights slapd does its internal query ? How to configure them ?