I remove the parameter (tls_cacertdir=/etc/ssl/certs) from idassert-bind config and result is :
Client log (other ldap server) : ldapsearch -H ldap://ldap-proxy.fr -b "dc=appli,dc=test,dc=com" -D "dn" -w "pwd" ldap_bind: Server is unavailable (52) additionnal info: Proxy operation retry failed
Proxy log: 679a61e2.1c43bb27 0x7f8d6cf56640 TLS trace: SSL3 alert read:fatal:unknown
Backend log: 679b49c4.0aa74b3e 0x7f39e25fd6c0 TLS trace: SSL3 alert write:fatal:unknown 679b49c4.0aa76a7f 0x7f39e25fd6c0 TLS trace: SSL_accept:error in error 679b49c4.0aa79f9f 0x7f39e25fd6c0 TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate. 679b49c4.0aa7fcfb 0x7f39e25fd6c0 connection_read(11): TLS accept failure error=-1 id=1001, closing 679b49c4.0aa83473 0x7f39e25fd6c0 connection_closing: readying conn=1001 sd=11 for close 679b49c4.0aa86f6f 0x7f39e25fd6c0 connection_close: conn=1001 sd=11
From client ldap, i want to query an LDAP backend via an LDAP proxy. I want the query from the client to be unsecured with a simple authentication (bindn), but the proxied communication between the LDAP proxy and the LDAP backend to be secured through mutual TLS authentication via SASL EXTERNAL.
my setup is not working at the moment.