sasl-host pennid.upenn.edu

sasl-realm  UPENN.EDU

authz-regexp uid=(.*),cn=UPENN.EDU,cn=gssapi,cn=auth

        ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@UPENN.EDU)

and the authentication mapping works as desired;  the user@realm gets mapped to the just the username and the search succeeds:

 ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid.upenn.edu

SASL/GSSAPI authentication started

SASL username: netmon@UPENN.EDU

SASL SSF: 56

SASL data security layer installed.

dn:uid=netmon,ou=entities,dc=upenn,dc=edu

However, on development in a different kerberos realm, that statement will not map properly.  The mapping doesn't take place, so user@realm is used for the (unsuccessful) search:

sasl-host pennid-dev.net.isc.upenn.edu

sasl-realm TEST.NET.ISC.UPENN.EDU

authz-regexp  uid=(.*),cn=TEST.NET.ISC.UPENN.EDU,cn=gssapi,cn=auth

          ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@TEST.NET.ISC.UPENN.EDU)

no mapping takes place:

ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid-dev.net.isc.upenn.edu 

SASL/GSSAPI authentication started

SASL username: netmon@TEST.NET.ISC.UPENN.EDU

SASL SSF: 56

SASL data security layer installed.

dn:uid=netmon@test.net.isc.upenn.edu,cn=test.net.isc.upenn.edu,cn=gssapi,cn=auth

However, a change to the regexp on the development system will cause mapping to work there:

authz-regexp  uid=(.*)@TEST.NET.ISC.UPENN.EDU,cn=TEST.NET.ISC.UPENN.EDU,cn=gssapi,cn=auth

          ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@TEST.NET.ISC.UPENN.EDU)

$ ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid-dev.net.isc.upenn.edu 

SASL/GSSAPI authentication started

SASL username: netmon@TEST.NET.ISC.UPENN.EDU

SASL SSF: 56

SASL data security layer installed.

dn:uid=netmon,ou=entities,dc=upenn,dc=edu

But a similar regexp in production will not map properly:

authz-regexp uid=(.*)@UPENN.EDU,cn=UPENN.EDU,cn=gssapi,cn=auth

        ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@UPENN.EDU)