Full_Name: Mike Jackson
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.157.185.162)


On an server with KRB5_KTNAME and KRB5CCNAME in it's environment but without a
functional /etc/krb5.conf file, olcAuthzRegexp mappings are completely ignored
for EXTERNAL auth (in my tests, distinguished names for X.509 client
authentication were not remapped until OL was able to kinit it's own kerberos
ticket).

This is a bit of a corner case, but a pretty annoying bug nonetheless when
building up new servers and indicates a failure in logic somewhere or another.

Chat logs follow:


JoBbZ: podz: oh, you're saying that the regex fails if you use a *non* GSSAPI
mechanism, and the krb5.conf can't talk to a KDC?
[9:41pm] podz: yes
[9:41pm] podz: and this is a dysfunction
[9:41pm] JoBbZ: yes, that'd be a bug for sure 
[9:41pm] podz: it's really a dysfunction
[9:42pm] JoBbZ: well, there should be zero reason for GSSAPI to even be
initialized if using EXTERNAL
[9:42pm] podz: precisely
[9:42pm] tarpman: that's sounding more like a sasl bug so far...
[9:42pm] podz: tarpman: like i said, i am not sure where the bug lies
[9:43pm] podz: something is fishy, though
[9:43pm] podz: now i am going to eat some cake and be back in 20-30 mins
[9:44pm] JoBbZ: well, EXTERNAL is all openldap code, doesn't depend on
cyrus-sasl
[9:45pm] JoBbZ: so it could be a bug in OpenLDAP that it is calling cyrus-sasl
at all in this case
[9:45pm] podz: probably you are right