On Mon, Mar 03, 2025 at 11:02:36AM +0000, Windl, Ulrich wrote:
Hi!
I tried to remove the credentials from my syncrepl configuration using certificate authentication instead. To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works. Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running. However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate's name to the user, or the mapping is not called at all. Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working.
Hi Ulrich, first point of call is often adding the 'trace' level to whatever you set your loglevel to, possibly also 'acl' when ACLs might be relevant. Compare what you see for the request with what your ldap tools report and check at which point your expectations no longer align with what's actually happening. Could be anything from a config level typo through ACL mismatch to your client just not issuing the sort of request you thought it would.
And before you start encoding them in configuration, it's good practice being explicit by passing the options in directly as command-line parameters (also pretty sure -D is not used for SASL binds.)
Regards,