From 11e4a82a35665f986431894605f568ddabef2b4d Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 6 Jun 2019 01:54:54 +0300
Subject: [PATCH] configure authz mappings for gssapi authenticated users

---
 roles/ldap/server/templates/slapd.conf.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/ldap/server/templates/slapd.conf.j2 b/roles/ldap/server/templates/slapd.conf.j2
index 43e0381..a01f699 100644
--- a/roles/ldap/server/templates/slapd.conf.j2
+++ b/roles/ldap/server/templates/slapd.conf.j2
@@ -94,10 +94,15 @@ authz-regexp
 authz-regexp
     "gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
     "ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
+# map kerberos users
+authz-regexp
+    "uid=([^,]\+),cn=gssapi,cn=auth"
+    "ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
 
 # require authentication for authenticated users that don't match above
 access to *
     by dn.children="cn=peercred,cn=external,cn=auth" auth
+    by dn.children="cn=gssapi,cn=auth" auth
     by anonymous auth
     by * break