[Date Prev][Date Next] [Chronological] [Thread] [Top]

olcAuthzRegexp not matching

i am trying to get kerberos id <--> ldap object mapping down for dovecot, and seem to have hit a wall.

i have the kerberos service principal created and a keytab populated. i can successfully kinit using the keytab and get a TGT for the imap/test.bpk2.com@BPK2.COM id. when i run ldapwhoami i get:

SASL/GSSAPI authentication started
SASL username: imap/test.bpk2.com@BPK2.COM
SASL data security layer installed.

the olcAuthzRegexp i am trying to use is not matching and the mapping falls through to the regular user mappings. i have tried all the permutations i can thing of in the RegEx, but cannot get the match to occur.

as a reference, i looked at the matching i do for the computer accounts, and there is nothing obviously wrong.

olcAuthzRegexp attempts:
{2}uid=imap\/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com

{2}uid=imap\/(.*),cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com

{2}uid=imap\/(.*),cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com

{2}uid=imap\/(.*),cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com

klist output:
Ticket cache: KEYRING:persistent:0:0
Default principal: imap/test.bpk2.com@BPK2.COM

Valid starting       Expires              Service principal
05/06/2015 11:42:08  05/07/2015 11:40:16  ldap/server2.bpk2.com@BPK2.COM
	renew until 05/13/2015 11:40:16
05/06/2015 11:40:16  05/07/2015 11:40:16  ldap/server1.bpk2.com@BPK2.COM
	renew until 05/13/2015 11:40:16
05/06/2015 11:40:16  05/07/2015 11:40:16  krbtgt/BPK2.COM@BPK2.COM
	renew until 05/13/2015 11:40:16

how do i find what i am doing wrong? note the below olcAuthzRegexp works to map hosts to computer accounts:

{0}uid=host\/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth cn=$1,ou=Computers,dc=bpk2,dc=com