configure authz mappings for gssapi authenticated users

roles/ldap/server/templates/slapd.conf.j2

@@ -94,10 +94,15 @@ authz-regexp
 authz-regexp
     "gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
     "ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
+# map kerberos users
+authz-regexp
+    "uid=([^,]\+),cn=gssapi,cn=auth"
+    "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
 
 # require authentication for authenticated users that don't match above
 access to *
     by dn.children="cn=peercred,cn=external,cn=auth" auth
+    by dn.children="cn=gssapi,cn=auth" auth
     by anonymous auth
     by * break