I am trying to set up an OpenLDAP server (2.40) on CentOS 6 that uses a proxy referral to another LDAP server (OpenDJ) , all via SSL/TLS

The referral works if I do not use SSL but when I configure slapd.conf to require certs, I get an invalid password error:

res_errno: 49, res_error: <Invalid password.>, res_matched: <>

The proxy is configured to use SASL EXTERNAL binding but when connecting to the OpenDJ service, it binds anonymously:

ldap_back_dobind_int: DN="<certificate DN>" without creds, binding anonymouslyldap_sasl_bind

The same configuration works on Windows using OpenLDAP 2.38

Here is the configuration for the ldap backend in slapd.conf:

database ldap
suffix "ou=organization unit, o=organization"
uri "ldaps://test.ldap.com:636/"

chase-referrals yes
idassert-bind bindmethod=sasl
saslmech=EXTERNAL
binddn="O=ORG,OU=ORGUNIT,C=US"
tls_cacert="/path/to/ca cert.pem"
tls_cert="/path/to/server cert.pem"
tls_key="/path/to/server key.pem"
tls_reqcert=demand
mode=self

Thank you