Hello,
I’m trying to set up an OpenLDAP architecture where a client connects to a
proxy using an unencrypted connection with a simple bind (e.g., via
ldapsearch), and the proxy then connects securely to a backend LDAP server
using TLS client certificate authentication via SASL EXTERNAL.
Here is what I’m aiming for:
• The client uses simple bind over ldap:// to connect to the
proxy.
• The proxy should ignore the client’s bind credentials and use
its own certificate to connect to the backend via ldaps:// or ldap+starttls://
using SASL EXTERNAL.
• The backend uses authz-regexp rules to map the proxy’s
certificate DN to a local identity, which is authorized to perform the search
on behalf of the client.
I’ve tested this setup with OpenLDAP versions 2.4, 2.5, and 2.6 but have not
been able to make it work.
I gave a configuration in my first message and I tried several configurations
but I always come back to this one when I read the docs or look at the forums
Regards
