Hi!
I tried to remove the credentials from my syncrepl configuration using certificate authentication instead. To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works. Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running. However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate's name to the user, or the mapping is not called at all. Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working.
What I have tried so far is having a ~/ldaprc with: TLS_REQCERT demand TLS_CACERT ./User-CA.crt TLS_CERT ./uid=user.crt TLS_KEY ./uid=user.pem LDAPSASL_MECH external
And I tried the command "ldapwhoami -H ldap://FQHN -D uid=user,cn=gssapi,cn=auth -Z -v"
I tried these olcAuthzRegexp: olcAuthzRegexp: {1} "C=DE,...,O=...,uid=([^,]+)" uid=$1,ou=people,dc=...,dc==de olcAuthzRegexp: {2} "^uid=([^,]+),cn=gssapi,cn=auth$" uid=$1,ou=people,dc=...,dc=de
(I left out the details of the certificate and directory contexts)
Kind regards, Ulrich Windl
On Mon, Mar 03, 2025 at 11:02:36AM +0000, Windl, Ulrich wrote:
Hi!
I tried to remove the credentials from my syncrepl configuration using certificate authentication instead. To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works. Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running. However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate's name to the user, or the mapping is not called at all. Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working.
Hi Ulrich, first point of call is often adding the 'trace' level to whatever you set your loglevel to, possibly also 'acl' when ACLs might be relevant. Compare what you see for the request with what your ldap tools report and check at which point your expectations no longer align with what's actually happening. Could be anything from a config level typo through ACL mismatch to your client just not issuing the sort of request you thought it would.
And before you start encoding them in configuration, it's good practice being explicit by passing the options in directly as command-line parameters (also pretty sure -D is not used for SASL binds.)
Regards,
Hello,
You have to ensure that SASL authenticates you first, then check for the regexp so it binds you as someone else. From what I see:
* the file should be .ldaprc and not ldaprc * the sasl directive is just SASL_MECH * the client certificate MUST be valid on the server side: The CA in the ldap serveur must be able to validate user.crt * Indeed, the ldapwhoami command MUST NOT use -D as it involves simple bind
You can use -d9 as client switch to have more debug on your client, and check log on the server side. As discussed, the auth type must not be 128 if SASL is used. Once ldapwhoami does not fail and gives you a DN made from your cert's subject, you can look at authzregexp as well. You can use sites like regex101 to ensure the regex matches the certificate subject
Regards ________________________________ De : Windl, Ulrich u.windl@ukr.de Envoyé : lundi 3 mars 2025 12:02 À : openldap-technical@openldap.org openldap-technical@openldap.org Objet : How to start debugging olcAuthzRegexp?
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
Hi!
I tried to remove the credentials from my syncrepl configuration using certificate authentication instead.
To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works.
Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running.
However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate’s name to the user, or the mapping is not called at all.
Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working.
What I have tried so far is having a ~/ldaprc with:
TLS_REQCERT demand
TLS_CACERT ./User-CA.crt
TLS_CERT ./uid=user.crt
TLS_KEY ./uid=user.pem
LDAPSASL_MECH external
And I tried the command “ldapwhoami -H ldap://FQHN -D uid=user,cn=gssapi,cn=auth -Z -v”
I tried these olcAuthzRegexp:
olcAuthzRegexp: {1} "C=DE,…,O=…,uid=([^,]+)" uid=$1,ou=people,dc=…,dc==de
olcAuthzRegexp: {2} "^uid=([^,]+),cn=gssapi,cn=auth$" uid=$1,ou=people,dc=…,dc=de
(I left out the details of the certificate and directory contexts)
Kind regards,
Ulrich Windl
--On Monday, March 3, 2025 11:02 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
And I tried the command "ldapwhoami -H ldap://FQHN -D uid=user,cn=gssapi,cn=auth -Z -v"
This isn't doing certificate auth. I suggest reading a recent thread where I literally provide an example command line call using SASL/EXTERNAL.
--Quanah
openldap-technical@openldap.org
-
BECOT Jérôme -
Ondřej Kuzník -
Quanah Gibson-Mount -
Windl, Ulrich