On Tue, Apr 08, 2025 at 02:35:58PM +0200, Stefan Kania wrote:
> Hi all,
>
> I want to rewrite the gssapi user name after authentication using
> olcAuthzRegex, but I want to rewrite the krbPrincipalName. If a principal is
> getting a ticket and then test the authentication with "ldapwhoami" I see:
> uid=my-principal,cn=gssapi,cn=auth
>
> So now I want to rewrite the uid to:
> krbPrincipalName=my-principal@REALM,cn=REALM,cn=kerberos,dc=example,dc=net
> the real object name.
>
> My first try was
> olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth
> krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net
>
> That is working. Now "ldapwhoami" is showing
> krbPrincipalName=my-principal@REALM,cn=realm,cn=kerbers,dc=example,dc=net
>
> then I changed olcAuthzRegexp to
> uid=(.+),cn=gssapi,cn=auth
> ldap:///cn=kerberos,dc=example,dc=net??sub?(krbPrincipalName=$1@REALM)
>
> I also tried:
> (krbPrincipalName=$1)
> (krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net)
>
> but non of the filters is working.
> How do I have to configure the filter to rewrite the krbPrincipalName with
> in the search?
Hi Stefan,
hard to tell but it might be down to ACLs, if you want to use LDAP URIs
for user selection, there is an internal search that is run and it needs
`auth` privileges to run. You probably need to run with acl logs enabled
and check that your ACLs are not standing in the way of that.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
