SASL, ACLs and mapping non-user IDs

[Brendan Kearney <bpk678@gmail.com>]

list members,

i am trying to allow processes (and hosts) access to LDAP, and have a
few questions around mapping IDs using SASL.  i have the below
olcAuthzRegexp statements, which work for user@REALM.TLD, but not for
primary/instance@REALM.TLD.

{0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
$1,ou=Users,dc=bpk2,dc=com
{1}uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=Users,dc=bpk2,dc=com
{2}uid=([^,]*),cn=auth uid=$1,ou=Users,dc=bpk2,dc=com

Is there a best practice for mapping non-user identities?  i imagine
there are a couple ways to do things or a few things i need to do to
correctly manage this, but i am not clear on some details.

first, when mapping a non-user ID, do you map the primary or the
instance to the ldap object (or both)?  if only one, what can or should
be done with the other?  does it hit the floor and is never looked at
again, or can it be used to quantifiy/qualify the other?  take the
example of host/computer.domain.tld@REALM.TLD or
DNS/computer.domain.tld@REALM.TLD.  would i map host and DNS to
something?

second, i believe the olcAuthzRegexp directives are processed in order
of listing, so if i were to add one that maps the primary or the
instance (or both) to an LDAP object that is not in the Users OU, then
there would not be a conflict with the previous directives attempting to
map the ID to any object in the Users OU.  can this be confirmed?

as for the ACLs, once i have the mapping of ID to object down, it would
just be a matter of adding, for instance, a "by" line to an existing ACL
granting the ID the appropriate access to the appropriate resource(s).
am i missing anything significant?

thanks in advance,

brendan