> So you're using TLS client cert and SASL/EXTERNAL to a hostname (also in ther > server cert) but where the IP address of the hostname is directly routed > through > 127.0.0.1?
The slapd log of my same-host tests confirms they in fact used the IPv4 loopback address, 127.0.0.1, even though the bind URI specified the FQDN. > Not sure but the difference is the client IP address. If the client can reach > slapd through 127.0.0.1 the client's IP address is also 127.0.0.1 which could > make a difference in the SASL client handling. Anyone said hostname > canonicalization? Does setting sasl-host <fqdn> make a difference? The ~/.ldaprc used by the client in these tests contained "TLS_REQCERT none", so a mismatch between the server's FQDN and the peer address actually used would not have been detected. Another difference would be "ping-pong" memory allocation between client and server. Even though different processes, they may allocate from the same pool. With the client running on a different host in other tests, slapd would not be competing with other processes in a predictable, repeatable fashion (slapd SEGFAULTs were 100% repeatable for specific sequences of EXTERNAL binds, but only with client and server on the same host).
