Hello list.
I successfuly configured OpenLDAP for kerberos autentication, and user mapping: authz-regexp "uid=([^,]+),cn=gssapi,cn=auth" "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)"
However, mapping doesn't work when autenticating with a user from a different realm than the one from the server. The logs show the realm is not stripped from username, as it should be: Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND authcid="rousse@SACLAY.INRIA.FR" authzid="rousse@SACLAY.INRIA.FR" Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND dn="uid=rousse@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56
authcid should be 'rousse', not 'rousse@SACLAY.INRIA.FR'. This is a classic problem, and kerberos provides mapping rules for users of external domains, such as described here: http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
I used those rules succesfully with mod_krb, for instance. However, openldap seems to ignore them. I had to change the previous regexp to: authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth" "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)
Is this intentional ?