Description of problem: The current SASL mappings look like this: dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping nsSaslMapRegexString: \(.*\)@\(.*\) cn: Full Principal nsSaslMapBaseDNTemplate: dc=ipatest nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20090831091015Z modifyTimestamp: 20090831091015Z dn: cn=Name Only,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping nsSaslMapRegexString: \(.*\) cn: Name Only nsSaslMapBaseDNTemplate: dc=ipatest nsSaslMapFilterTemplate: (krbPrincipalName=\1) creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20090831091015Z modifyTimestamp: 20090929155624Z and are match in an arbitrary order. If 'Name Only' is executed first it will match everything, even a principle ending with @EXAMPLE.COM. The follwing search will then fail, because @EXAMPLE.COM is added for a second time. The following change to 'Name Only' dn: cn=Name Only,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping nsSaslMapRegexString: ^[^@]+$ cn: Name Only nsSaslMapBaseDNTemplate: dc=ipatest nsSaslMapFilterTemplate: (krbPrincipalName=&@IPATEST) creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20090831091015Z modifyTimestamp: 20090929155624Z solves this, because now it only matches if no '@' is found. It might make sense to use "nsSaslMapRegexString: ^[^:@]+$" if it is planned to use the 'u:' and 'dn:' patterns for SASL in future versions.
Fixed by Simo in master commit 4262358111fb97820915769bfdb201ad39f24d7c