So you're using TLS client cert and SASL/EXTERNAL to a hostname
(also in ther
server cert) but where the IP address of the hostname is directly routed through
127.0.0.1?
The slapd log of my same-host tests confirms they in fact used the IPv4
loopback address, 127.0.0.1, even though the bind URI specified the FQDN.
Not sure but the difference is the client IP address. If the client
can reach
slapd through 127.0.0.1 the client's IP address is also 127.0.0.1 which could
make a difference in the SASL client handling. Anyone said hostname
canonicalization? Does setting sasl-host <fqdn> make a difference?
The ~/.ldaprc used by the client in these tests contained "TLS_REQCERT
none", so a mismatch between the server's FQDN and the peer address
actually used would not have been detected. Another difference would be
"ping-pong" memory allocation between client and server. Even though
different processes, they may allocate from the same pool. With the
client running on a different host in other tests, slapd would not be
competing with other processes in a predictable, repeatable fashion
(slapd SEGFAULTs were 100% repeatable for specific sequences of EXTERNAL
binds, but only with client and server on the same host).