[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd-meta idassert with SASL EXTERNAL not working correctly
> Hi,
>
> I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers
> using slapd-meta.
> The remote servers require SASL EXTERNAL authentication, so I have to
> configure TLS client auth.
>
> The relevant part of my slapd.conf looks like this:
> -------------------------------------------------
> database meta
> suffix "dc=example"
>
> uri "ldaps://server2:636/cn=server2,dc=example"
> idassert-authzFrom "dn:*"
> idassert-bind bindmethod=sasl
> saslmech=EXTERNAL
> tls_cert=mycert.crt
> tls_key=mycert.key
> tls_cacert=trusted-ca.pem
> mode=none
> -------------------------------------------------
>
> Starting slapd with this config results in anonymous authentication
> against "server2", even though I configured the idassert-bind to use
> SASL EXTERNAL with the given keys/certs.
>
> The strange thing is:
> When I'm starting slapd with the environment variables
> LDAPTLS_CERT,LDAPTLS_KEY,LDAPTLS_CACERT (same values as the options in
> idassert-bind), everything works (the meta backend authenticates with
> the given keys/certs).
>
> Why do I have to set those environment variables to get the meta
> backend working?
> And respectively, why do the tls_* options in idassert-bind have no
> effect (in that case)?
Apparently, although those options are perfectly valid, they are ignored
by back-meta. I suggest you file an ITS <http://www.openldap.org/its/>.
p.