The PKI authentication backend is compatible only with SASL mechanisms, that are based on client certificates.
SASL EXTERNAL meets that requirement.
It extracts the Common Name from a certificate and returns it as a username part in JID.
Client certificate requirements
Common Name must be equal to the username part of the client JID.
Some of its callbacks return hardcoded values, as it's impossible for this backend to properly acquire certain pieces of information. These include:
||PKI reponds with
||Any metrics or statistics (e.g. available via