sasl-regexp mistery

[Jose Gonzalez Gomez <jgonzalez@opentechnet.com>]

   Hi there,

   I'm trying to map a SASL identity to an entry in the LDAP database. 
The identity I'm trying to map is:
      uid=ldapmaster,cn=gssapi,cn=auth
   I would like to map it to:
       cn=ldapmaster@example.com,ou=kerberos,dc=example,dc=com

   This entry is a kerberos principal, so it has a krb5PrincipalName 
with value ldapmaster@EXAMPLE.COM, but it's not a posixAccount, so it 
has no uid. I have other entries that are kerberos principals and posix 
accounts, so they have the uid attribute. I'm using the following 
sasl-regexp:

sasl-regexp
   uid=(.+),cn=.+,cn=auth
   
ldap:///dc=example,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.COM))

   This is working for entries with uid, but failing misserably for the 
ldapmaster shown above:

server root # ldapwhoami
SASL/GSSAPI authentication started
SASL username: ldapmaster@EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn:uid=ldapmaster,cn=gssapi,cn=auth


   If I instead use the following:

sasl-regexp
   uid=(.+),cn=.+,cn=auth
   ldap:///dc=example,dc=com??sub?(|(uid=$1)(cn=$1@example.com))

   the mapping works as expected:

server root # ldapwhoami
SASL/GSSAPI authentication started
SASL username: ldapmaster@EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn:cn=ldapmaster@example.com,ou=kerberos,dc=example,dc=com

    but I still don't know why the first mapping (desired) doesn't 
work? I'm using OpenLDAP 2.1.30... any ideas? Am I missing anything? By 
the way, the search seems to be correct:

server root # ldapsearch "(krb5PrincipalName=ldapmaster@EXAMPLE.COM)"
SASL/GSSAPI authentication started
[snip]

# ldapmaster@example.com, kerberos, example.com
dn: cn=ldapmaster@example.com,ou=kerberos,dc=example,dc=com
[snip]
krb5PrincipalName: ldapmaster@EXAMPLE.COM
[snip]
# numResponses: 2
# numEntries: 1


   Thanks in advance,
   Jose