[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-meta idassert with SASL EXTERNAL not working correctly


I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers
using slapd-meta.
The remote servers require SASL EXTERNAL authentication, so I have to
configure TLS client auth.

The relevant part of my slapd.conf looks like this:
database meta
suffix "dc=example"

uri "ldaps://server2:636/cn=server2,dc=example"
idassert-authzFrom "dn:*"
idassert-bind bindmethod=sasl

Starting slapd with this config results in anonymous authentication
against "server2", even though I configured the idassert-bind to use
SASL EXTERNAL with the given keys/certs.

The strange thing is:
When I'm starting slapd with the environment variables
LDAPTLS_CERT,LDAPTLS_KEY,LDAPTLS_CACERT (same values as the options in
idassert-bind), everything works (the meta backend authenticates with
the given keys/certs).

Why do I have to set those environment variables to get the meta
backend working?
And respectively, why do the tls_* options in idassert-bind have no
effect (in that case)?

Thanks in advance,