Re: (ITS#8008) proxyauth with saslmech EXTERNAL not working

[mathieu.baeumler@gmail.com]

Hello,

just in case someone is still looking on this, I stumbled on the same
issue when upgrading openldap from an old version (2.4.2x) to 2.4.40.
Used first a debian package, then compiled it myself, same behaviour.

However, I managed to make it work by setting explicitly the
"override" flag in the chain-idassert-bind parameters ( I'm not sure
it's the right way to fix this "issue"):

chain-idassert-authzFrom "dn:*"
chain-idassert-bind   bindmethod=sasl
                      saslmech="EXTERNAL"
                      mode=self
                      flags=override,proxy-authz-critical
                      starttls=critical
                      tls_cacert=/etc/ldap/ssl/CA.pem
                      tls_key=/etc/ldap/ssl/private/key.pem
                      tls_cert=/etc/ldap/ssl/proxy.pem
                      tls_reqcert=demand


For those who like the cn=config syntax better:

olcDbIDAssertBind: mode=self
flags=flags=prescriptive,override,proxy-authz-critical bindmethod=sasl
timeout=0 network-timeout=0 saslmech=EXTERNAL keepalive=0:0:0
starttls=critical tls_cert="/opt/SNet/etc/ldap/ssl/proxy.pem"
tls_key="/opt/SNet/etc/ldap/ssl/private/key.pem"
tls_cacert="/opt/SNet/etc/ldap/ssl/CA.pem" tls_reqcert=demand


Note:
Previous to that, the flags were NOT set explicitly, so the following
default values were used:

olcDbIDAssertBind: mode=self
flags=prescriptive,proxy-authz-non-critical bindmethod=sasl timeout=0
network-timeout=0 saslmech=EXTERNAL keepalive=0:0:0 starttls=critical
tls_cert="/opt/SNet/etc/ldap/ssl/proxy.pem"
tls_key="/opt/SNet/etc/ldap/ssl/private/key.pem"
tls_cacert="/opt/SNet/etc/ldap/ssl/CA.pem" tls_reqcert=demand