I'm migrating from OpenLDAP to FDS, soon, and I'm trying to establish an entirely compatible Kerberos auth configuration on the new system. User authentication wasn't really a problem, but we have one application which uses a kerberos principal which doesn't map to a DN on the old system. I'm using this ACI (among others, naturally) on the base DN: dn: dc=ee,dc=washington,dc=edu aci: (version 3.0; acl "Allow all writes by admin users and web form"; allow (all) userdn="ldap:///uid=*/admin,cn=GSSAPI,cn=auth || ldap:///uid=application/hostname.ee.washington.edu,cn=GSSAPI,cn=auth";;) My only SASL mapping rule is this: dn: cn=Kerberos mapping,cn=mapping,cn=sasl,cn=config changetype: add objectClass: top objectClass: nsSaslMapping cn: Kerberos mapping nsSaslMapRegexString: uid=([^/]*),cn=GSSAPI,cn=auth nsSaslMapBaseDNTemplate: uid=\1,ou=people,dc=ee,dc=washington,dc=edu nsSaslMapFilterTemplate: objectClass=inetOrgPerson For the application, the obvious simple "out" seems to be creating a new entry for the application, under "people", but I don't know how the "admin" tickets will work. I'm guessing that I need a "default" mapping, but SASL and GSSAPI are documented rather poorly for FDS, and it's not clear to me exactly what I need to do here.
