I am trying to set up an OpenLDAP server (2.40) on CentOS 6 that uses a proxy referral to another LDAP server (OpenDJ) , all via SSL/TLS
The referral works if I do not use SSL but when I configure slapd.conf to require certs, I get an invalid password error:
res_errno: 49, res_error: <Invalid password.>, res_matched: <>
The proxy is configured to use SASL EXTERNAL binding but when connecting to the OpenDJ service, it binds anonymously:
ldap_back_dobind_int: DN="<certificate DN>" without creds, binding anonymouslyldap_sasl_bind
The same configuration works on Windows using OpenLDAP 2.38
Here is the configuration for the ldap backend in slapd.conf:
database ldap suffix "ou=organization unit, o=organization" uri "ldaps://test.ldap.com:636/"
chase-referrals yes idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="O=ORG,OU=ORGUNIT,C=US" tls_cacert="/path/to/ca cert.pem" tls_cert="/path/to/server cert.pem" tls_key="/path/to/server key.pem" tls_reqcert=demand mode=self
Thank you
openldap-technical@openldap.org