Hi,
I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers using slapd-meta. The remote servers require SASL EXTERNAL authentication, so I have to configure TLS client auth.
The relevant part of my slapd.conf looks like this: ------------------------------------------------- database meta suffix "dc=example"
uri "ldaps://server2:636/cn=server2,dc=example" idassert-authzFrom "dn:*" idassert-bind bindmethod=sasl saslmech=EXTERNAL tls_cert=mycert.crt tls_key=mycert.key tls_cacert=trusted-ca.pem mode=none -------------------------------------------------
Starting slapd with this config results in anonymous authentication against "server2", even though I configured the idassert-bind to use SASL EXTERNAL with the given keys/certs.
The strange thing is: When I'm starting slapd with the environment variables LDAPTLS_CERT,LDAPTLS_KEY,LDAPTLS_CACERT (same values as the options in idassert-bind), everything works (the meta backend authenticates with the given keys/certs).
Why do I have to set those environment variables to get the meta backend working? And respectively, why do the tls_* options in idassert-bind have no effect (in that case)?
Thanks in advance,
Manuel