Re: slapd-meta idassert with SASL EXTERNAL not working correctly

[Dan White <dwhite@olp.net>]

On 08/09/10 08:55 +0200, Manuel Gaupp wrote:
> Hi,
>
> I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers
> using slapd-meta.
> The remote servers require SASL EXTERNAL authentication, so I have to
> configure TLS client auth.
>
> The relevant part of my slapd.conf looks like this:
> -------------------------------------------------
> database meta
> suffix "dc=example"
>
> uri "ldaps://server2:636/cn=server2,dc=example"
> idassert-authzFrom "dn:*"
> idassert-bind bindmethod=sasl
>             saslmech=EXTERNAL
>             tls_cert=mycert.crt
>             tls_key=mycert.key
>             tls_cacert=trusted-ca.pem
>             mode=none
> -------------------------------------------------

> Starting slapd with this config results in anonymous authentication
> against "server2", even though I configured the idassert-bind to use
> SASL EXTERNAL with the given keys/certs.

What setting do you have for TLSVerifyClient on the server side? According
16.2.1.8 of the Administrator's Guide, you'll need a non-default setting
for the server to ask for the client certificate.

Also, have you attempted to perform a bind using the client utilities, to
rule out any problems with the server config?

--
Dan White