Hi All, I'm trying to get syncrepl to work with TLS, and SASL External. I think I configured everything correctly; I explicitly state it should use bindmethod=sasl, but in the logs I see it is using simple nonetheless. Replication subsequently fails because lack of access rights. Using ldapsearch with identical setting in .ldaprc works... I'm at a loss. Anybody knows what is going on?
Excerpt from slapd.conf of consumer: syncrepl rid=13 provider=ldaps://example.org:636 type=refreshAndPersist interval=00:00:30:00 searchbase="ou=People,dc=example,dc=org" scope=sub bindmethod=sasl saslmech=EXTERNAL schemachecking=off authcid=cn=kelderlied,ou=hosts,o=example authzid=cn=kelderlied,ou=hosts,o=example tls_cacert=/etc/ldap/trusted/ca.drs.p-cacert_root_3.pem tls_cert /etc/ssl/CA/kelderlied.crt tls_key /etc/ssl/CA/kelderlied.key tls_reqcert=demand starttls=critical When Syncrepl from the consumer is started in the logs of the provider I see: > ACCEPT from IP=A.B.C.D:55428 (IP=0.0.0.0:636) > TLS established tls_ssf=128 ssf=128 > BIND dn="" method=128 > conn=1099 op=0 RESULT tag=97 err=0 text= > SRCH BASE..... So, TLS is successful (I have TLS_REQ = demand on the provider), but bind simple is requested Here I do a search by hand with identical settings in my .ldaprc that succeeds > ldapsearch -H ldaps://example.org:636 -Y EXTERNAL -b > "ou=people,dc=example,dc=org" "(objectClass=*)" > In the logs: > ACCEPT from IP=A.B.C.D:55434 (IP=0.0.0.0:636) > TLS established tls_ssf=128 ssf=128 > BIND dn="" method=163 > BIND authcid="cn=kelderlied,ou=hosts,o=example" > authzid="cn=kelderlied,ou=hosts,o=example" > BIND dn="cn=libnss,dc=example,dc=org" mech=EXTERNAL sasl_ssf=0 ssf=128 > RESULT tag=97 err=0 text= > Any help is appreciated... Tim
