i am trying to get kerberos id <--> ldap object mapping down for dovecot, and seem to have hit a wall.
i have the kerberos service principal created and a keytab populated. i can successfully kinit using the keytab and get a TGT for the imap/test.bpk2.com@BPK2.COM id. when i run ldapwhoami i get:
SASL/GSSAPI authentication started SASL username: imap/test.bpk2.com@BPK2.COM SASL SSF: 56 SASL data security layer installed. dn:uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com
the olcAuthzRegexp i am trying to use is not matching and the mapping falls through to the regular user mappings. i have tried all the permutations i can thing of in the RegEx, but cannot get the match to occur.
as a reference, i looked at the matching i do for the computer accounts, and there is nothing obviously wrong.
olcAuthzRegexp attempts: {2}uid=imap/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap/(.*),cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap/(.*),cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap/(.*),cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
klist output: Ticket cache: KEYRING:persistent:0:0 Default principal: imap/test.bpk2.com@BPK2.COM
Valid starting Expires Service principal 05/06/2015 11:42:08 05/07/2015 11:40:16 ldap/server2.bpk2.com@BPK2.COM renew until 05/13/2015 11:40:16 05/06/2015 11:40:16 05/07/2015 11:40:16 ldap/server1.bpk2.com@BPK2.COM renew until 05/13/2015 11:40:16 05/06/2015 11:40:16 05/07/2015 11:40:16 krbtgt/BPK2.COM@BPK2.COM renew until 05/13/2015 11:40:16
how do i find what i am doing wrong? note the below olcAuthzRegexp works to map hosts to computer accounts:
{0}uid=host/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth cn=$1,ou=Computers,dc=bpk2,dc=com
thanks,
brendan