On 08/09/10 08:55 +0200, Manuel Gaupp wrote:
Hi,
I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers using slapd-meta. The remote servers require SASL EXTERNAL authentication, so I have to configure TLS client auth.
The relevant part of my slapd.conf looks like this:
database meta suffix "dc=example"
uri "ldaps://server2:636/cn=server2,dc=example" idassert-authzFrom "dn:*" idassert-bind bindmethod=sasl saslmech=EXTERNAL tls_cert=mycert.crt tls_key=mycert.key tls_cacert=trusted-ca.pem mode=none
Starting slapd with this config results in anonymous authentication against "server2", even though I configured the idassert-bind to use SASL EXTERNAL with the given keys/certs.
What setting do you have for TLSVerifyClient on the server side? According 16.2.1.8 of the Administrator's Guide, you'll need a non-default setting for the server to ask for the client certificate.
Also, have you attempted to perform a bind using the client utilities, to rule out any problems with the server config?