Dieter Kluenter wrote: 
Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:

  
Dieter Kluenter wrote:

    Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
    
[...]
  
    There is nothing special to do. ldapsearch -Y DIGEST-MD5 -U foo -w
    secret -H ldap://myhost -b dc=example,dc=com ...
    All you have to do is to set the userPassword value as plaintext,
    otherwise the challenge cannot be created. If you want to parse the
    sasl authentication string to a DN, than you have to define a
    authz-regexp in in slapd.conf(5) and the user has to have a uid
    attribute.
    
[...]
  
I still can not authenticate by using password from userPassword attribute .I
also attach 2 configuration files with this email. Are there any missing
configuration?
    

Could you provide some logs?

[...]
  
# slapd.conf - Configuration file for LDAP SLAPD
##########
authz-regexp 
	uid=([^,]+).*,cn=auth
	uid=$1,ou=Users,dc=example,dc=com
authz-regexp
	email=([^,]+),cn=([^,]+).*,c=TH$
	uid=$2,ou=Users,dc=example,dc=com
sasl-realm example.com
sasl-secprops none
    

Is there any particular reason to define the second authz-regexp rule?

  
access to attrs=userPassword
	by self write
	by anonymous auth
	by * none
access to dn.subtree="ou=System,dc=example,dc=com"
	by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
	by users read
    

  
access to *
	by self write
	by users read
	by * none
    
[...]

run slapd -d acl and post the relevant parts.

-Dieter
Dear Dieter Kluenter

1. I have defined the second authz-regexp rule for map sasl external authentication from certificate to ldap 's dn. It's just testing.
2. I test SASL by execute command "ldapsearch -U matt -Y DIGEST-MD5"
3. I also attach output files from option "-d trace" in file debug_trace.log and "-d acl" in file debug_acl.log

Jitttinan Suwanrueangsri