Syncrepl: consumer ignores bindmethod=sasl

[Tim Dijkstra <newsuser@famdijkstra.org>]

Hi All,

I'm trying to get syncrepl to work with TLS, and SASL External. I think
I configured everything correctly; I explicitly state it should use
bindmethod=sasl, but in the logs I see it is using simple nonetheless.
Replication subsequently fails because lack of access rights. Using
ldapsearch with identical setting in .ldaprc works... I'm at a loss.
Anybody knows what is going on?


Excerpt from slapd.conf of consumer:

syncrepl rid=13
   provider=ldaps://example.org:636
   type=refreshAndPersist
   interval=00:00:30:00
   searchbase="ou=People,dc=example,dc=org"
   scope=sub
   bindmethod=sasl
   saslmech=EXTERNAL
   schemachecking=off
   authcid=cn=kelderlied,ou=hosts,o=example
   authzid=cn=kelderlied,ou=hosts,o=example
   tls_cacert=/etc/ldap/trusted/ca.drs.p-cacert_root_3.pem
   tls_cert /etc/ssl/CA/kelderlied.crt
   tls_key /etc/ssl/CA/kelderlied.key
   tls_reqcert=demand
   starttls=critical



When Syncrepl from the consumer is started in the logs of the provider I
see:

>  ACCEPT from IP=A.B.C.D:55428 (IP=0.0.0.0:636)
>  TLS established tls_ssf=128 ssf=128
>  BIND dn="" method=128
>  conn=1099 op=0 RESULT tag=97 err=0 text=
>  SRCH BASE.....

So, TLS is successful (I have TLS_REQ = demand on the provider), but bind simple is requested  

Here I do a search by hand with identical settings in my .ldaprc that succeeds

> ldapsearch -H ldaps://example.org:636 -Y EXTERNAL -b "ou=people,dc=example,dc=org" "(objectClass=*)"
> 

In the logs:

>  ACCEPT from IP=A.B.C.D:55434 (IP=0.0.0.0:636)
>  TLS established tls_ssf=128 ssf=128
>  BIND dn="" method=163
>  BIND authcid="cn=kelderlied,ou=hosts,o=example" authzid="cn=kelderlied,ou=hosts,o=example"
>  BIND dn="cn=libnss,dc=example,dc=org" mech=EXTERNAL sasl_ssf=0 ssf=128
>  RESULT tag=97 err=0 text=
> 

Any help is appreciated...

Tim