With 2.4.21, I'm trying to use SASL EXTERNAL authentication with a back-ldap instance pointed to another ldap server listening on the same host -- ldapi:///. Here is the config:
database ldap suffix o=llnw uri ldapi:/// rebind-as-user true idassert-bind bindmethod=sasl saslmech=EXTERNAL
This doesn't seem to work, it just results in a plain anonymous bind over ldapi:
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 fd=22 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 BIND dn="" method=128 Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 RESULT tag=97 err=0 text= [...]
I've tried the various mode= arguments and even tried setting authcId/authzId, but ran into various errors. What I'm looking for is to have all incoming anonymous connections be mapped to the equivalent of this ldapsearch command:
ldapsearch -H ldapi:/// -Y EXTERNAL <...>
Which shows up in the slapd log like so:
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 fd=62 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND dn="" method=163 Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND authcid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth@LLNW.COM" authzid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth@LLNW.COM" Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND dn="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=112
Thanks,
-Kartik
openldap-software@openldap.org