Problems with ppolicy_forward_updates and starttls with certificate-based auth

[Kartik Subbarao <subbarao@computer.org>]

I'm trying to get a consumer server to forward ppolicy-related updates 
to its provider server, and to use certificate-based authentication 
(SASL EXTERNAL) over STARTTLS when authenticating to the provider. This 
is with 2.4.23 on a Debian 5.0.5 system (I've seen similar issues 
reported elsewhere so I doubt this is platform specific).

I'm running into multiple problems here. The core problem seems to be 
that enabling ppolicy_forward_updates breaks the chaining overlay such 
that it binds anonymously instead of with SASL EXTERNAL. Another problem 
is that bind operations to the consumer server start to return two 
result messages -- one with the error code of the chained operation, and 
one with the error code of the bind operation. This latter problem seems 
to the cause of the (still unresolved?) errors from this message thread 
earlier this year:

http://www.mail-archive.com/openldap-technical@openldap.org/msg01215.html

To simplify reproducing the problem, I've worked with test022-ppolicy in 
the openldap test framework. I've submitted ITS 6711 based on this. 
Here, I ran into another issue. I can't seem to be able to configure 
sasl external/starttls chaining properly with the cn=config style 
configuration that test022-ppolicy applies. The self-signed cert that 
I'm using works fine with replication, but it doesn't seem to work with 
chaining. This may or may not be another issue that needs to be resolved.

In any case, with the attached files in the ITS, I hope that what I'm 
trying to do and the results that I'm getting should be as clear and 
unambiguous as possible. I'd appreciate any feedback on whether there is 
something else I need to configure or if there are bugs here that need 
to be fixed.

Thanks,

	-Kartik