[Date Prev][Date Next] [Chronological] [Thread] [Top]

Multimaster SASL/EXTERNAL (TLS client cert) error



Hi everyone!

I've set up two test ldap servers (2.4.10) with multimaster replication.
With simple binds it is working well.
I've set up a client certificate (everything CA signed, no self-signing
;-) ) to use with SASL/EXTERNAL authentication.
Using olcAuthzRegexp I've mapped it to the rootdn of the cn=config
backend, set up an .ldaprc file and with:
su -c '/usr/bin/ldapwhoami' openldap -s /bin/sh
(I'm running slapd as openldap user and group)
I get:
SASL/EXTERNAL authentication started
SASL username: cn=LDAP Syncrepl Client,ou=LDAP Server,o=Kossuth
Zsuzsanna SZKI,l=Dabas,st=Pest,c=HU
SASL SSF: 0
dn:cn=config
just like expected (ldapsearch and friends are also working on both
sides and cross).
Just to be sure I've exported the LDAPCONF variable in the slapd startup
script.
But syncrepl doesn't work!
On the logs (olcLogLevel=-1):
slap_client_connect: URI=ldaps://first-or-second-ldap-server
ldap_sasl_interactive_bind_s failed (-6)
connection_read(20): unable to get TLS client DN, error=49 id=23

Many thanks!

Geza