Bind Domain is wear I’m struggling. My command line uses a --bindDN and --bindPassword but the GUI is only setup for a bindDN.
I guess I don’t understand what I’m using since other implementations I’ve had to enter the password in the configuration file and save the file with 600 permissions.
My organization scheme looks like the following: (it’s pretty basic):
The bind is made with the user’s credentials, which is how they’re verified. That’s the %s place holder in the bind DN. In your case you want something like cn=%s,ou=users,dc=ldap,dc=example,dc=com.
Ok so I had to spend a lot of time figuring things out to address my problems but I’m posting a solution here for the next person. It was both a combination of the OpenLDAP setup and Syncthing
Syncthing does not have option to use TLS ClientCertificates. I wish it could but it does not. Because of this I had to change my OpenLDAP config from: LDAP_TLS_VERIFY_CLIENT=demand to LDAP_TLS_VERIFY_CLIENT=try.
If using self-signed SSL certs for the OpenLDAP make sure within Syncthing you choose LDAP->Insecure Skip Verify. I also there was a way to add a self-signed root CA.pem or CA.cert file within Syncthing, however it doesn’t seem to have this option.
Within the ldap configuration, I needed to ensure that individual users could read their own configuation. This is the equivalent of doing an ldapsearch on the command line of:
Again the above command – specifically the ou=users,dc=ldap,dc=domain,dc=com – may change depending on your table layout within LDAP.
The database needs to have at minimum an olcAccess rule like the following:
olcAccess: {1}to * by self read
For these rules were found in the olcDatabase={1}mdb.ldif file within cn=config directoy of openldap.
Hopefully this helps. Would be great if syncthing could add at least a way to import a self-signed rootCA.pem. Client certificates are nice however there is a workaround.