I've just tested this scenario using the back-meta sources (and slap.h,sl_malloc.c) from HEAD. I also tried to add "tls start" to the back-meta configuration.
Not sure why you need those...
Unfortunately, the problem still persists. (But the workaround, setting LDAPTLS_..., still works)
When I look at the debug outputs (at debug level 1), the first difference is in the SSL_connect messages. Only my workaround method is sending the "write certificate verify" to authenticate with the certificate, whereas it doesn't send this message without the workaround.
Can I see the entire configuration of both sides? (minus passwords and so, of course). Is the client using TLS? I'll re-check later, but I could use TLS-based EXTERNAL auth with both back-ldap and back-meta with and without setting "tls start".
Just to make sure, can you pull the entire HEAD? Thanks for checking, in any case. p.
The Output from the "good" request (with workaround) is
TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write certificate verify A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_int_sasl_open: host=localhost ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request
The output from the request without the workaround:
TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_int_sasl_open: host=localhost ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 15 TLS trace: SSL3 alert write:warning:close notify ldap_free_connection: actually freed
Regards, Manuel