[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
sasl-regexp mistery
Hi there,
I'm trying to map a SASL identity to an entry in the LDAP database.
The identity I'm trying to map is:
uid=ldapmaster,cn=gssapi,cn=auth
I would like to map it to:
cn=ldapmaster@example.com,ou=kerberos,dc=example,dc=com
This entry is a kerberos principal, so it has a krb5PrincipalName
with value ldapmaster@EXAMPLE.COM, but it's not a posixAccount, so it
has no uid. I have other entries that are kerberos principals and posix
accounts, so they have the uid attribute. I'm using the following
sasl-regexp:
sasl-regexp
uid=(.+),cn=.+,cn=auth
ldap:///dc=example,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.COM))
This is working for entries with uid, but failing misserably for the
ldapmaster shown above:
server root # ldapwhoami
SASL/GSSAPI authentication started
SASL username: ldapmaster@EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn:uid=ldapmaster,cn=gssapi,cn=auth
If I instead use the following:
sasl-regexp
uid=(.+),cn=.+,cn=auth
ldap:///dc=example,dc=com??sub?(|(uid=$1)(cn=$1@example.com))
the mapping works as expected:
server root # ldapwhoami
SASL/GSSAPI authentication started
SASL username: ldapmaster@EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn:cn=ldapmaster@example.com,ou=kerberos,dc=example,dc=com
but I still don't know why the first mapping (desired) doesn't
work? I'm using OpenLDAP 2.1.30... any ideas? Am I missing anything? By
the way, the search seems to be correct:
server root # ldapsearch "(krb5PrincipalName=ldapmaster@EXAMPLE.COM)"
SASL/GSSAPI authentication started
[snip]
# ldapmaster@example.com, kerberos, example.com
dn: cn=ldapmaster@example.com,ou=kerberos,dc=example,dc=com
[snip]
krb5PrincipalName: ldapmaster@EXAMPLE.COM
[snip]
# numResponses: 2
# numEntries: 1
Thanks in advance,
Jose