Hi! I tried to remove the credentials from my syncrepl configuration using certificate authentication instead. To do so I added a user certificate for my own user and tried ldapwhoami to verify that it works. Unfortunately it does not. I read quite a lot on the subject, and either all the descriptions are all poorly written and incomplete, or it must be very simple to get it running. However I failed so far. My suspect is that my olcAuthzRegexp does not properly map the certificate's name to the user, or the mapping is not called at all. Can anybody provide a sample configuration for the client user to verify the configuration, and maybe give an example on the server side to get it working.
What I have tried so far is having a ~/ldaprc with: TLS_REQCERT demand TLS_CACERT ./User-CA.crt TLS_CERT ./uid=user.crt TLS_KEY ./uid=user.pem LDAPSASL_MECH external And I tried the command "ldapwhoami -H ldap://FQHN -D uid=user,cn=gssapi,cn=auth -Z -v" I tried these olcAuthzRegexp: olcAuthzRegexp: {1} "C=DE,...,O=...,uid=([^,]+)" uid=$1,ou=people,dc=...,dc==de olcAuthzRegexp: {2} "^uid=([^,]+),cn=gssapi,cn=auth$" uid=$1,ou=people,dc=...,dc=de (I left out the details of the certificate and directory contexts) Kind regards, Ulrich Windl
