Good day, I am trying to figure out different behaviors with authz-regexp in slapd.conf. openldap 2.4-39 RHEL 6.5 cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15 krb5-libs 1.10.3-42 We're mapping based on a search for the presence of the userPassword attribute. In production is: sasl-host pennid.upenn.edu sasl-realm UPENN.EDU authz-regexp uid=(.*),cn=UPENN.EDU,cn=gssapi,cn=auth ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@UPENN.EDU) and the authentication mapping works as desired; the user@realm gets mapped to the just the username and the search succeeds: ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid.upenn.edu SASL/GSSAPI authentication started SASL username: netmon(a)UPENN.EDU SASL SSF: 56 SASL data security layer installed. dn:uid=netmon,ou=entities,dc=upenn,dc=edu However, on development in a different kerberos realm, that statement will not map properly. The mapping doesn't take place, so user@realm is used for the (unsuccessful) search: sasl-host pennid-dev.net.isc.upenn.edu sasl-realm TEST.NET.ISC.UPENN.EDU authz-regexp uid=(.*),cn=TEST.NET.ISC.UPENN.EDU,cn=gssapi,cn=auth ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@TEST.NET.ISC.UPENN.EDU) no mapping takes place: ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid-dev.net.isc.upenn.edu SASL/GSSAPI authentication started SASL username: netmon(a)TEST.NET.ISC.UPENN.EDU SASL SSF: 56 SASL data security layer installed. dn:uid=netmon@test.net.isc.upenn.edu,cn=test.net.isc.upenn.edu,cn=gssapi,cn=auth However, a change to the regexp on the development system will cause mapping to work there: authz-regexp uid=(.*)(a)TEST.NET.ISC.UPENN.EDU,cn=TEST.NET.ISC.UPENN.EDU,cn=gssapi,cn=auth ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@TEST.NET.ISC.UPENN.EDU) $ ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid-dev.net.isc.upenn.edu SASL/GSSAPI authentication started SASL username: netmon(a)TEST.NET.ISC.UPENN.EDU SASL SSF: 56 SASL data security layer installed. dn:uid=netmon,ou=entities,dc=upenn,dc=edu But a similar regexp in production will not map properly: authz-regexp uid=(.*)(a)UPENN.EDU,cn=UPENN.EDU,cn=gssapi,cn=auth ldap:///ou=entities,dc=upenn,dc=edu??one?(userPassword={SASL}$1@UPENN.EDU) ldapwhoami -Y GSSAPI -U netmon -H ldaps://pennid.upenn.edu SASL/GSSAPI authentication started SASL username: netmon(a)UPENN.EDU SASL SSF: 56 SASL data security layer installed. dn:uid=netmon,cn=upenn.edu,cn=gssapi,cn=auth Can anyone shed light on the different behavior? - only the authz-regexp has been modified - slapd was restarted after the changes. Thanks, Peter