I also tried to upgrade syncrepl to TLS and while replication works fine over TLS, chaining still says Strong(er) authentication is needed.
And i get
50150d47 do_bind: dn () SASL mech EXTERNAL 50150d47 ==>slap_sasl2dn: converting SASL name cn=cn\3Dreplicator,o=webgate,st=some-state,c=au to a DN 50150d47 ==> rewrite_context_apply [depth=1] string='cn=cn\3Dreplicator,o=webgate,st=some-state,c=au' 50150d47 ==> rewrite_rule_apply rule='cn=replicator' string='cn=cn\3Dreplicator,o=webgate,st=some-state,c=au' [1 pass(es)] 50150d47 ==> rewrite_context_apply [depth=1] res={0,'cn=cn\3Dreplicator,o=webgate,st=some-state,c=au'} 50150d47 slap_parseURI: parsing cn=cn\3Dreplicator,o=webgate,st=some-state,c=au ldap_url_parse_ext(cn=cn\3Dreplicator,o=webgate,st=some-state,c=au) 50150d47 >>> dnNormalize: <cn=cn\3Dreplicator,o=webgate,st=some-state,c=au> 50150d47 <<< dnNormalize: <cn=cn\3Dreplicator,o=webgate,st=some-state,c=au> 50150d47 <==slap_sasl2dn: Converted SASL name to cn=cn\3Dreplicator,o=webgate,st=some-state,c=au 50150d47 slap_sasl_getdn: dn:id converted to cn=cn\3Dreplicator,o=webgate,st=some-state,c=au 50150d47 SASL Authorize [conn=1017]: proxy authorization allowed authzDN="" 50150d47 send_ldap_sasl: err=0 len=-1 50150d47 do_bind: SASL/EXTERNAL bind: dn="cn=cn\3Dreplicator,o=webgate,st=some-state,c=au" sasl_ssf=0
ive got this on the master:
authz-policy to authz-regexp cn=replicator "cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
"cn=replicator" is the CommonName set in the private key