Quoting Michael Ströder <michael@stroeder.com>:
uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead?
That would only help to avoid matching an empty uid. Anyway, we've already established that the problem is not the search pattern, but the authz-regexp replacement pattern. Howard has suggested an interesting LDAP search URL/URI; it may not work, but it looks like the right idea.
Also, I'm still bothered by the note at the very end of section 15.2.6 of the OpenLDAP admin manual. There's a similar note on the man page for slapd.conf:
"The protocol portion of the URI must be strictly ldap. Note that this search is subject to access controls. Specifically, the authentication identity must have "auth" access in the subject."Perhaps Howard's URL is correct, but that this issue is keeping it from working. This is even what my question was originally about: What does this mean? Who is supposed to have auth access to what in order for this to work?
Cheers, Jaap