(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Replication : (Answer) How to set up syncrepl using tls certs (sasl external bind)
Provider:
Consumer: ----------------- syncrepl rid=042 
   provider=ldap://hell.yahweh.net
   sizelimit=unlimited
   bindmethod=sasl
   saslmech=external
   starttls=yes
   tls_cert=/etc/openldap/certs/replicator.pem
   tls_key=/etc/openldap/certs/replicator-key.pem
   tls_cacert=/etc/openldap/certs/yahwehCA.pem
   tls_reqcert=demand
   searchbase="o=yahweh"

Note two things: there is NO binddn; instead, you see tls_cert, replicator.pem. This cert replaces the binddn.
Provider: ----------
authz-regexp cn=replicator "uid=replicator,cn=special,o=yahweh" TLSVerifyclient demand

tlsverifyclient by default is never; in order for sasl external to work, the server needs client's cert. Thats why use demand/allow/try for tlsverifyclient.
You need to tell the syncrepl provider how to find binddn from certs' cn. That's what authz-regexp does.
On provider: -----------
authz-regexp cn=replicator uid=replicator,cn=special,o=yahweh
TLSVerifyclient allow/try/demand
raindoctor@gmail.com

[Append to This Answer]
Previous: (Answer) How to have a slave proxying changes to the master
Next: (Answer) New Item
This document is: http://www.openldap.org/faq/index.cgi?file=1504
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org