[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd-meta idassert with SASL EXTERNAL not working correctly
- To: openldap-technical@openldap.org
- Subject: slapd-meta idassert with SASL EXTERNAL not working correctly
- From: Manuel Gaupp <mgaupp@googlemail.com>
- Date: Wed, 8 Sep 2010 08:55:40 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=qfpKbc1zlBGU+iqANlOEBKpXIRzHH1IcG40O2ZK8FK0=; b=yE3YP59n+uu5X9323rkU434qq3nE9ojM1vJLmyQ2bxG3pB7wW2gCHGfcJ2gI8aOX93 ieAs3d/R7z1QCAvIazXVm0YA5ur3K73JOmM0ClHPDpApKYWZq72x9ZwB9bkd/zRYjEX/ Vt6BpCNxL+0APnDdjYuKEKHGyEME2dj90KxHY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Zk7bKfXaW923cNSW0x/25kA9taWbZoRU275Uoa33yd1VyVxdfxpKY2hIt+YLjhNRsL MlCL8exDRnj9mPStqZRqBpN8hv6uIfrNYq9+LNICVG/PHRyMUoC9LrVbkl1wn+QxKdHC 3Ba6tJs6C96nC8ZFExFvleiwkIkd29l9aW4Gg=
Hi,
I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers
using slapd-meta.
The remote servers require SASL EXTERNAL authentication, so I have to
configure TLS client auth.
The relevant part of my slapd.conf looks like this:
-------------------------------------------------
database meta
suffix "dc=example"
uri "ldaps://server2:636/cn=server2,dc=example"
idassert-authzFrom "dn:*"
idassert-bind bindmethod=sasl
saslmech=EXTERNAL
tls_cert=mycert.crt
tls_key=mycert.key
tls_cacert=trusted-ca.pem
mode=none
-------------------------------------------------
Starting slapd with this config results in anonymous authentication
against "server2", even though I configured the idassert-bind to use
SASL EXTERNAL with the given keys/certs.
The strange thing is:
When I'm starting slapd with the environment variables
LDAPTLS_CERT,LDAPTLS_KEY,LDAPTLS_CACERT (same values as the options in
idassert-bind), everything works (the meta backend authenticates with
the given keys/certs).
Why do I have to set those environment variables to get the meta
backend working?
And respectively, why do the tls_* options in idassert-bind have no
effect (in that case)?
Thanks in advance,
Manuel