I am trying to set up an OpenLDAP  server (2.40) on CentOS 6  that uses a proxy referral to another LDAP server (OpenDJ) , all via SSL/TLS

The referral works if I do not use SSL but when I configure slapd.conf to require certs, I get an invalid password error:


res_errno: 49, res_error: <Invalid password.>, res_matched: <>


The proxy is configured to use SASL EXTERNAL binding but when connecting to the OpenDJ service, it binds anonymously:


ldap_back_dobind_int:  DN="<certificate DN>" without creds, binding anonymouslyldap_sasl_bind

The same configuration works on Windows using OpenLDAP 2.38

Here is the configuration for the ldap backend in slapd.conf:

database            ldap
suffix                 "ou=organization unit, o=organization"
uri                      "ldaps://test.ldap.com:636/"

chase-referrals yes
idassert-bind bindmethod=sasl
  saslmech=EXTERNAL
  binddn="O=ORG,OU=ORGUNIT,C=US"
  tls_cacert="/path/to/ca cert.pem"
  tls_cert="/path/to/server cert.pem"
  tls_key="/path/to/server key.pem"
  tls_reqcert=demand
  mode=self

Thank you