Hello, You have to ensure that SASL authenticates you first, then check for the regexp so it binds you as someone else. From what I see:
* the file should be .ldaprc and not ldaprc * the sasl directive is just SASL_MECH * the client certificate MUST be valid on the server side: The CA in the ldap serveur must be able to validate user.crt * Indeed, the ldapwhoami command MUST NOT use -D as it involves simple bind You can use -d9 as client switch to have more debug on your client, and check log on the server side. As discussed, the auth type must not be 128 if SASL is used. Once ldapwhoami does not fail and gives you a DN made from your cert's subject, you can look at authzregexp as well. You can use sites like regex101 to ensure the regex matches the certificate subject Regards ________________________________ De : Windl, Ulrich <[email protected]> Envoyé : lundi 3 mars 2025 12:02 À : [email protected] <[email protected]> Objet : How to start debugging olcAuthzRegexp? ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr. Hi! I tried to remove the credentials from my syncrepl configuration using certificate authentication instead. To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works. Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running. However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate’s name to the user, or the mapping is not called at all. Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working. What I have tried so far is having a ~/ldaprc with: TLS_REQCERT demand TLS_CACERT ./User-CA.crt TLS_CERT ./uid=user.crt TLS_KEY ./uid=user.pem LDAPSASL_MECH external And I tried the command “ldapwhoami -H ldap://FQHN -D uid=user,cn=gssapi,cn=auth -Z -v” I tried these olcAuthzRegexp: olcAuthzRegexp: {1} "C=DE,…,O=…,uid=([^,]+)" uid=$1,ou=people,dc=…,dc==de olcAuthzRegexp: {2} "^uid=([^,]+),cn=gssapi,cn=auth$" uid=$1,ou=people,dc=…,dc=de (I left out the details of the certificate and directory contexts) Kind regards, Ulrich Windl
