On Tue, Apr 08, 2025 at 02:35:58PM +0200, Stefan Kania wrote:
Hi all,
I want to rewrite the gssapi user name after authentication using olcAuthzRegex, but I want to rewrite the krbPrincipalName. If a principal is getting a ticket and then test the authentication with "ldapwhoami" I see: uid=my-principal,cn=gssapi,cn=auth
So now I want to rewrite the uid to: krbPrincipalName=my-principal@REALM,cn=REALM,cn=kerberos,dc=example,dc=net the real object name.
My first try was olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net
That is working. Now "ldapwhoami" is showing krbPrincipalName=my-principal@REALM,cn=realm,cn=kerbers,dc=example,dc=net
then I changed olcAuthzRegexp to uid=(.+),cn=gssapi,cn=auth ldap:///cn=kerberos,dc=example,dc=net??sub?(krbPrincipalName=$1@REALM)
I also tried: (krbPrincipalName=$1) (krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net)
but non of the filters is working. How do I have to configure the filter to rewrite the krbPrincipalName with in the search?
Hi Stefan, hard to tell but it might be down to ACLs, if you want to use LDAP URIs for user selection, there is an internal search that is run and it needs `auth` privileges to run. You probably need to run with acl logs enabled and check that your ACLs are not standing in the way of that.
Regards,