Hello Fred,

I've just used this auth in my setup:
TLSVerifyClient        demand -> LS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate.

Looks like your request does not use the certificate at all.
De : fred750164@gmail.com <fred750164@gmail.com>
Envoyé : jeudi 16 janvier 2025 19:52
À : openldap-technical@openldap.org <openldap-technical@openldap.org>
Objet : ldap proxy
 
[Vous ne recevez pas souvent de courriers de fred750164@gmail.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]

ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.

I want to set up an architecture that allows a client to query an LDAP backend via an LDAP proxy. I want the query from the client to be unsecured, but the proxied communication between the LDAP proxy and the LDAP backend to be secured through mutual TLS authentication via SASL EXTERNAL. What configurations need to be implemented on the LDAP proxy and the LDAP backend?

I saw in the slapd-ldap(5) documentation that the idassert-bind parameter could be used on the LDAP proxy for the TLS connection via SASL EXTERNAL, and in the slapd.conf(5) documentation that the authz-regexp parameter could be used on the LDAP backend to allow querying with a DN extracted from the certificate on this LDAP backend.

However, I am struggling to set it up.

I use openldap 2.4.

slapd.conf on proxy server:
[...]
Database        ldap
suffix          dc=test,dc=com
uri             ldaps://mytest.com:636
idassert-bind
   mode=self
   bindmethod=sasl
   saslmech=EXTERNAL
   tls_cert=/etc/openldap/certs/server.crt
   tls_key=/etc/openldap/certs/server.key
   tls_cacert=/etc/ssl/certs/ca-bundle.crt
   tls_cacertdir=/etc/ssl/certs
   tls_crlcheck=none
   tls_reqcert=allow
[...]

slapd.conf on backend server:
[...]
# Modules
moduleload             back_mdb
moduleload             authz-regexp

# TLS
TLSCACertificateFile   /opt/openldap/etc/openldap/certs/ca-certificates.crt
TLSCertificateFile     /opt/openldap/etc/openldap/certs/backend.crt
TLSCertificateKeyFile  /opt/openldap/etc/openldap/certs/backend.key
TLSCipherSuite         HIGH
TLSVerifyClient        demand
sasl-Host              mytest.com
sasl-realm             EXTERNAL
authz-regexp           ".*" "cn=user1,dc=test,dc=com"
[...]

proxy:
ldapsearch -H ldaps://mytest.com -b "dc=appli,dc=test,dc=com" -Y EXTERNAL -ZZ
ldap_start_tls: Can't contact LDAP server (-1)

backend:
67895427.2b4074ce 0x7f7e6bffe6c0 TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate.

Any help would be appreciated.