[Date Prev][Date Next]
Re: Auth access for search-based mappings?
Jaap Winius wrote:
> Quoting Howard Chu <firstname.lastname@example.org>:
>> You can't. As the slapd.conf(5) manpage states, the matching process
>> stops at the first rule that matches the incoming SASL name. ...
> Okay. I saw that too, but confused the SASL name with the SASL user
> name. So, the first of my two authz-regexp statements was always a
> match, which stopped the process.
>> ... If you want to use multiple authz-regexp statements, they must
>> each have unique "match" portions because any duplicates will be ignored.
> And mine were duplicates, since the replacement pattern is not part of
> the match (search pattern).
>> For your case, you need to come up with a single search specification...
> Where can I find information on how to write LDAP URL search
> For example, RFC2255 doesn't say much about it (e.g. no mention of
> ampersand or pipe characters).
>> ... that will handle both branches of your search. One possible solution
>> would be to use entryDN in the filter:
> Unfortunately, this doesn't work at all. Using ldapwhoami I now get:
uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead?