On 12/20/19 8:54 PM, Stefan Kania wrote:
> I would like to get the original DN from the user not the
> dn:*,cn=gssapi,cn=auth. So I put into my configuration:
> -----------------
> olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth
> ldap:///dc=example,dc=net??sub?(uid=$1)
> -----------------
Looks correct to me.
> Dec 20 14:42:34 ldapserver slapd[493]: => access_allowed: auth access to
> "dc=example,dc=net" "entry" requested
> [..]
> Dec 20 14:42:34 ldapserver slapd[493]: => slap_access_allowed: auth
> access denied by none(=0)
> [..]
> When I add the rule:
> -----------------
> olcAccess: {1}to * by * read
> -----------------
> ldapwhoami is working like I expected it:
anonymous needs auth access to the entries and attributes used for
authz-regexp mappings.
At minimum:
access to
dn.subtree="dc=example,dc=net"
attrs=entry,uid
by anonymous auth
Access control is complex. YMMV. So don't use exactly these ACLs because
they will block other access you need.
Ciao, Michael.
