Hello,
You have to ensure that SASL authenticates you first, then check for the regexp so it binds you as someone else. From what I see:
* the file should be .ldaprc and not ldaprc * the sasl directive is just SASL_MECH * the client certificate MUST be valid on the server side: The CA in the ldap serveur must be able to validate user.crt * Indeed, the ldapwhoami command MUST NOT use -D as it involves simple bind
You can use -d9 as client switch to have more debug on your client, and check log on the server side. As discussed, the auth type must not be 128 if SASL is used. Once ldapwhoami does not fail and gives you a DN made from your cert's subject, you can look at authzregexp as well. You can use sites like regex101 to ensure the regex matches the certificate subject
Regards ________________________________ De : Windl, Ulrich u.windl@ukr.de Envoyé : lundi 3 mars 2025 12:02 À : openldap-technical@openldap.org openldap-technical@openldap.org Objet : How to start debugging olcAuthzRegexp?
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
Hi!
I tried to remove the credentials from my syncrepl configuration using certificate authentication instead.
To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works.
Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running.
However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate’s name to the user, or the mapping is not called at all.
Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working.
What I have tried so far is having a ~/ldaprc with:
TLS_REQCERT demand
TLS_CACERT ./User-CA.crt
TLS_CERT ./uid=user.crt
TLS_KEY ./uid=user.pem
LDAPSASL_MECH external
And I tried the command “ldapwhoami -H ldap://FQHN -D uid=user,cn=gssapi,cn=auth -Z -v”
I tried these olcAuthzRegexp:
olcAuthzRegexp: {1} "C=DE,…,O=…,uid=([^,]+)" uid=$1,ou=people,dc=…,dc==de
olcAuthzRegexp: {2} "^uid=([^,]+),cn=gssapi,cn=auth$" uid=$1,ou=people,dc=…,dc=de
(I left out the details of the certificate and directory contexts)
Kind regards,
Ulrich Windl