authz-regexp
uid=(.*),cn=GSSAPI,cn=auth
uid=$1,ou=people,dc=example,dc=com
To understand how this works, you need to know that when SASL authenticates a user,
OpenLDAP forms a distinguished name from the name given to it by SASL (such as
joe) and the name of the SASL flavor (GSSAPI). The result would be
uid=joe,cn=GSSAPI,cn=auth.
If a authz-regexp has been configured, it checks the DN formed from the SASL
information using the first argument as a regular expression. If this regular expression
matches, the name is replaced with the second argument of the authz-regexp
statement. The placeholder $1 is replaced with the substring matched by the (.*)
expression.
More complicated match expressions are possible. If you have a more complicated di-
rectory structure or a schema in which the username is not part of the DN, you can even
use search expressions to map the SASL DN to the user DN.
868
Installation and Administration