Hi All,
I'm trying to get syncrepl to work with TLS, and SASL External. I think I configured everything correctly; I explicitly state it should use bindmethod=sasl, but in the logs I see it is using simple nonetheless. Replication subsequently fails because lack of access rights. Using ldapsearch with identical setting in .ldaprc works... I'm at a loss. Anybody knows what is going on?
Excerpt from slapd.conf of consumer:
syncrepl rid=13 provider=ldaps://example.org:636 type=refreshAndPersist interval=00:00:30:00 searchbase="ou=People,dc=example,dc=org" scope=sub bindmethod=sasl saslmech=EXTERNAL schemachecking=off authcid=cn=kelderlied,ou=hosts,o=example authzid=cn=kelderlied,ou=hosts,o=example tls_cacert=/etc/ldap/trusted/ca.drs.p-cacert_root_3.pem tls_cert /etc/ssl/CA/kelderlied.crt tls_key /etc/ssl/CA/kelderlied.key tls_reqcert=demand starttls=critical
When Syncrepl from the consumer is started in the logs of the provider I see:
ACCEPT from IP=A.B.C.D:55428 (IP=0.0.0.0:636) TLS established tls_ssf=128 ssf=128 BIND dn="" method=128 conn=1099 op=0 RESULT tag=97 err=0 text= SRCH BASE.....
So, TLS is successful (I have TLS_REQ = demand on the provider), but bind simple is requested
Here I do a search by hand with identical settings in my .ldaprc that succeeds
ldapsearch -H ldaps://example.org:636 -Y EXTERNAL -b "ou=people,dc=example,dc=org" "(objectClass=*)"
In the logs:
ACCEPT from IP=A.B.C.D:55434 (IP=0.0.0.0:636) TLS established tls_ssf=128 ssf=128 BIND dn="" method=163 BIND authcid="cn=kelderlied,ou=hosts,o=example" authzid="cn=kelderlied,ou=hosts,o=example" BIND dn="cn=libnss,dc=example,dc=org" mech=EXTERNAL sasl_ssf=0 ssf=128 RESULT tag=97 err=0 text=
Any help is appreciated...
Tim