Hi all,

I'm using openldap/slapd as a ldap server (using libsasl2-2 & related modules for sasl auth) on ubuntu and trying to get a client to authenticate/bind using external/client certificate.

I'm using two clients - one is a native C client using windows winldap native library and one is based on a different client ldap library (i.e. not using winldap or openldap native libraries). The client based on winldap works fine, but not the other one.

This is what I can see in the slapd logs for the two cases:

- the one which works fine via winldap 5fe876d4 conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber: 5fe876d4 >>> dnPrettyNormal: <> 5fe876d4 <<< dnPrettyNormal: <>, <> 5fe876d4 do_bind: dn () SASL mech EXTERNAL 5fe876d4 ==>slap_sasl2dn: converting SASL name email=test@test.com,cn=example,ou=example,o=example,st=anystate,c=us to a DN 5fe876d4 ==> rewrite_context_apply [depth=1] string='email=test@test.com,cn=example,ou=example,o=example,st=anystate,c=us' 5fe876d4 ==> rewrite_rule_apply rule='email=test@test.com,cn=example,ou=example,o=example,st=anystate,c=us' string='email=test@test.com,cn=example,ou=example,o=example,st=anystate,c=us' [1 pass(es)] 5fe876d4 ==> rewrite_context_apply [depth=1] res={0,'cn=test,dc=example,dc=com'} 5fe876d4 slap_parseURI: parsing cn=test,dc=example,dc=com ldap_url_parse_ext(cn=test,dc=example,dc=com) 5fe876d4 >>> dnNormalize: <cn=test,dc=example,dc=com> 5fe876d4 <<< dnNormalize: <cn=test,dc=example,dc=com> 5fe876d4 <==slap_sasl2dn: Converted SASL name to cn=test,dc=example,dc=com 5fe876d4 slap_sasl_getdn: dn:id converted to cn=test,dc=example,dc=com 5fe876d4 SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" 5fe876d4 send_ldap_sasl: err=0 len=-1 5fe876d4 do_bind: SASL/EXTERNAL bind: dn="cn=test,dc=example,dc=com" sasl_ssf=0 5fe876d4 send_ldap_response: msgid=1 tag=97 err=0

- the one which doesn't work 5fe87b50 conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber: 5fe87b50 >>> dnPrettyNormal: <> 5fe87b50 <<< dnPrettyNormal: <>, <> 5fe87b50 do_bind: dn () SASL mech EXTERNAL 5fe87b50 send_ldap_sasl: err=14 len=0 5fe87b50 send_ldap_response: msgid=1 tag=97 err=14

As can be seen, the second one stops at "do_bind: dn () SASL mech EXTERNAL" and slapd just returns the binding in progress result code. Of course, the same client certificate is used in both cases. The fact that one client works fine suggests that the slapd configuration is correct.

Any idea what is wrong? Can I enable any additional logs (sasl one?) to be able to see more?

Thanks, Dumitru