Full_Name: Mike Jackson Version: 2.4.45 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.157.185.162)

On an server with KRB5_KTNAME and KRB5CCNAME in it's environment but without a functional /etc/krb5.conf file, olcAuthzRegexp mappings are completely ignored for EXTERNAL auth (in my tests, distinguished names for X.509 client authentication were not remapped until OL was able to kinit it's own kerberos ticket).

This is a bit of a corner case, but a pretty annoying bug nonetheless when building up new servers and indicates a failure in logic somewhere or another.

Chat logs follow:

JoBbZ: podz: oh, you're saying that the regex fails if you use a *non* GSSAPI mechanism, and the krb5.conf can't talk to a KDC? [9:41pm] podz: yes [9:41pm] podz: and this is a dysfunction [9:41pm] JoBbZ: yes, that'd be a bug for sure [9:41pm] podz: it's really a dysfunction [9:42pm] JoBbZ: well, there should be zero reason for GSSAPI to even be initialized if using EXTERNAL [9:42pm] podz: precisely [9:42pm] tarpman: that's sounding more like a sasl bug so far... [9:42pm] podz: tarpman: like i said, i am not sure where the bug lies [9:43pm] podz: something is fishy, though [9:43pm] podz: now i am going to eat some cake and be back in 20-30 mins [9:44pm] JoBbZ: well, EXTERNAL is all openldap code, doesn't depend on cyrus-sasl [9:45pm] JoBbZ: so it could be a bug in OpenLDAP that it is calling cyrus-sasl at all in this case [9:45pm] podz: probably you are right