[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta idassert with SASL EXTERNAL not working correctly

> Hi,
> I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers
> using slapd-meta.
> The remote servers require SASL EXTERNAL authentication, so I have to
> configure TLS client auth.
> The relevant part of my slapd.conf looks like this:
> -------------------------------------------------
> database meta
> suffix "dc=example"
> uri "ldaps://server2:636/cn=server2,dc=example"
> idassert-authzFrom "dn:*"
> idassert-bind bindmethod=sasl
>              saslmech=EXTERNAL
>              tls_cert=mycert.crt
>              tls_key=mycert.key
>              tls_cacert=trusted-ca.pem
>              mode=none
> -------------------------------------------------
> Starting slapd with this config results in anonymous authentication
> against "server2", even though I configured the idassert-bind to use
> SASL EXTERNAL with the given keys/certs.
> The strange thing is:
> When I'm starting slapd with the environment variables
> LDAPTLS_CERT,LDAPTLS_KEY,LDAPTLS_CACERT (same values as the options in
> idassert-bind), everything works (the meta backend authenticates with
> the given keys/certs).
> Why do I have to set those environment variables to get the meta
> backend working?
> And respectively, why do the tls_* options in idassert-bind have no
> effect (in that case)?

Apparently, although those options are perfectly valid, they are ignored
by back-meta. I suggest you file an ITS <http://www.openldap.org/its/>.