In implementing a SASL/Kerberos solution I require to match incoming Kerberos principals against LDAP entries in the ou=People and ou=Hosts branches. OpenDJ only supports a single RegularExpression Identity Mapper, and this makes it impossible to do.
To illustrate, I have two situations. The first is catered for by the standard mapping, which takes the incoming principal:
and uses a ds-config-match-pattern of ^([^@]$ and a ds-config-match-attribute of uid to match this to:
I believe this is restricted on matching within the container ou=People, dc=example, dc=com (but I'm no longer sure why I believe this).
The second situation is an incoming principal:
Now, the hosts container is ou=Hosts, dc=example, dc=com, and my current choice for host name is:
There's no uid for the host, so I need to match against cn attribute in this case, but the regular expression mapper doesn't support this.
OpenLDAP will allow this, as it has support for multiple authz-regexp expressions, as illustrated by this blog post: http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php
I'm currently investigating a workaround for this problem, so the use case may not be a good one to drive the change. As a result, I've set the current priority as Trivial.