Thank you for your help, now it's working. I should have read the log more closely, that's was the log said :-) Burt sometimes you just need an input from someone else.
Am 23.12.19 um 09:40 schrieb Michael Ströder:
> On 12/20/19 8:54 PM, Stefan Kania wrote:
>> I would like to get the original DN from the user not the
>> dn:*,cn=gssapi,cn=auth. So I put into my configuration:
>> -----------------
>> olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth
>> ldap:///dc=example,dc=net??sub?(uid=$1)
>> -----------------
>
> Looks correct to me.
>
>> Dec 20 14:42:34 ldapserver slapd[493]: => access_allowed: auth access to
>> "dc=example,dc=net" "entry" requested
>> [..]
>> Dec 20 14:42:34 ldapserver slapd[493]: => slap_access_allowed: auth
>> access denied by none(=0)
>> [..]
>> When I add the rule:
>> -----------------
>> olcAccess: {1}to * by * read
>> -----------------
>> ldapwhoami is working like I expected it:
>
> anonymous needs auth access to the entries and attributes used for
> authz-regexp mappings.
>
> At minimum:
>
> access to
> dn.subtree="dc=example,dc=net"
> attrs=entry,uid
> by anonymous auth
>
> Access control is complex. YMMV. So don't use exactly these ACLs because
> they will block other access you need.
I know ;-) it will be set wisely.
Stefan
>
> Ciao, Michael.
>
--
smime.p7s
Description: S/MIME Cryptographic Signature
