Hi!

 

I tried to remove the credentials from my syncrepl configuration using certificate authentication instead.

To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works.

Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running.

However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate’s name to the user, or the mapping is not called at all.

Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working.

 

What I have tried so far is having a ~/ldaprc with:

TLS_REQCERT demand

TLS_CACERT ./User-CA.crt

TLS_CERT ./uid=user.crt

TLS_KEY ./uid=user.pem

LDAPSASL_MECH external

 

And I tried the command “ldapwhoami -H ldap://FQHN -D uid=user,cn=gssapi,cn=auth -Z -v”

 

I tried these olcAuthzRegexp:

olcAuthzRegexp: {1} "C=DE,…,O=…,uid=([^,]+)" uid=$1,ou=people,dc=…,dc==de

olcAuthzRegexp: {2} "^uid=([^,]+),cn=gssapi,cn=auth$" uid=$1,ou=people,dc=…,dc=de

 

(I left out the details of the certificate and directory contexts)

 

Kind regards,

Ulrich Windl