After spending a day trying to figure out why the following didn't work nsSaslMapRegexString: (.*)@(.*) i found out the following in the fedora-ds-7.1/ldap/servers/slapd/regex.c * [7] a regular expression in the form [1] to [10], enclosed * as \(form\) matches what form matches. The enclosure * creates a set of tags, used for [8] and for * pattern substution. The tagged forms are numbered * starting from 1. So everything is working with entries of the form nsSaslMapRegexString: \(.*\) nsSaslMapRegexString: \([^/]*\)/\(.*\) I don't think that the realm is ever send, but i haven't tried to authenticate with a krb5 ticket from another realm.
Ok. I think I understand what you're saying. Please check the page and let me know if it is now correct.
Seems right now apart from the DOMAIN/username section. I use a regex of the form \([^/]+\)/\(.+\) (note that i replaced * with + since it makes a lot more sense) to map kerberos principles with an instance, like service/fqdn or user/admin. It really has nothing to do with DOMAIN/username. For example if you want to map all services from hostname.domain to the uid=hostname.domain,ou=hosts,dc=domain you can use [^/]+/\(.+\) and a map base of uid=\1,ou=hosts,dc=domain or you might want to map all principles with an admin instance to uid=user,ou=Managers,dc=domain so you'll use \([^/]+\)/admin and a mapbase of uid=\1,ou=Managers,dc=domain.
Thanks. Fixed. http://directory.fedora.redhat.com/wiki/Howto:Kerberos#How_do_I_configure_FDS_to_use_SASL_and_GSSAPI_to_authenticate_against_a_local_Kerberos_realm.3F