authz-regexp behavior with GSSAPI - openldap-technical

26 Aug 2015


      Good day,
I am trying to figure out different behaviors with authz-regexp in slapd.conf.
openldap 2.4-39
RHEL 6.5
cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15
krb5-libs   1.10.3-42
We're mapping based on a search for the presence of the userPassword attribute.
In production is:
sasl-host pennid.upenn.edu
sasl-realm  UPENN.EDU
authz-regexp uid=(.*),cn=UPENN.EDU,cn=gssapi,cn=auth
        ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@UPENN.EDU)
and the authentication mapping works as desired;  the user@realm gets mapped to the just the username and the search succeeds:
ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid.upenn.edu
SASL/GSSAPI authentication started
SASL username: netmon@UPENN.EDU
SASL SSF: 56
SASL data security layer installed.
dn:uid=netmon,ou=entities,dc=upenn,dc=edu
However, on development in a different kerberos realm, that statement will not map properly.  The mapping doesn't take place, so user@realm is used for the (unsuccessful) search:
sasl-host pennid-dev.net.isc.upenn.edu
sasl-realm TEST.NET.ISC.UPENN.EDU
authz-regexp  uid=(.*),cn=TEST.NET.ISC.UPENN.EDU,cn=gssapi,cn=auth
          ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@TEST.NET.ISC.UPENN.EDU)
no mapping takes place:
ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid-dev.net.isc.upenn.edu
SASL/GSSAPI authentication started
SASL username: netmon@TEST.NET.ISC.UPENN.EDU
SASL SSF: 56
SASL data security layer installed.
dn:uid=netmon@test.net.isc.upenn.edu,cn=test.net.isc.upenn.edu,cn=gssapi,cn=auth
However, a change to the regexp on the development system will cause mapping to work there:
authz-regexp  uid=(.*)@TEST.NET.ISC.UPENN.EDU,cn=TEST.NET.ISC.UPENN.EDU,cn=gssapi,cn=auth
          ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@TEST.NET.ISC.UPENN.EDU)
$ ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid-dev.net.isc.upenn.edu
SASL/GSSAPI authentication started
SASL username: netmon@TEST.NET.ISC.UPENN.EDU
SASL SSF: 56
SASL data security layer installed.
dn:uid=netmon,ou=entities,dc=upenn,dc=edu
But a similar regexp in production will not map properly:
authz-regexp uid=(.*)@UPENN.EDU,cn=UPENN.EDU,cn=gssapi,cn=auth
        ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@UPENN.EDU)
ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid.upenn.edu
SASL/GSSAPI authentication started
SASL username: netmon@UPENN.EDU
SASL SSF: 56
SASL data security layer installed.
dn:uid=netmon,cn=upenn.edu,cn=gssapi,cn=auth
Can anyone shed light on the different behavior?
-   only the authz-regexp has been modified
-   slapd was restarted after the changes.
Thanks,
Peter