Red Hat Bugzilla – Bug 171358
Wrong information in Howto:Kerberos
Last modified: 2007-04-18 13:33:18 EDT
After spending a day trying to figure out why the following didn't work
i found out the following in the fedora-ds-7.1/ldap/servers/slapd/regex.c
*  a regular expression in the form  to , enclosed
* as \(form\) matches what form matches. The enclosure
* creates a set of tags, used for  and for
* pattern substution. The tagged forms are numbered
* starting from 1.
So everything is working with entries of the form
I don't think that the realm is ever send, but i haven't tried to authenticate
with a krb5 ticket from another realm.
Ok. I think I understand what you're saying. Please check the page and let me
know if it is now correct.
Seems right now apart from the DOMAIN/username section.
I use a regex of the form \([^/]+\)/\(.+\) (note that i replaced * with + since
it makes a lot more sense) to map kerberos principles with an instance, like
service/fqdn or user/admin. It really has nothing to do with DOMAIN/username.
For example if you want to map all services from hostname.domain to the
uid=hostname.domain,ou=hosts,dc=domain you can use [^/]+/\(.+\) and a map base
of uid=\1,ou=hosts,dc=domain or you might want to map all principles with an
admin instance to uid=user,ou=Managers,dc=domain so you'll use \([^/]+\)/admin
and a mapbase of uid=\1,ou=Managers,dc=domain.