But I'm out of clues with PLAIN (over TLS, using a self-signed certificate) as why it doesn't work for a user who's password is in SSHA. The users are testusers I entered, the ldif file used was 1:1, only the uids and passwords were different. I am still missing some basic principle of SASL or what's going on here?
You can use saslauthd to authenticate PLAIN. I'm using saslauthd/pam with libpam_ldap to to accomplish this during a transition period where my passwords are hashed.
You'd need to set the pwcheck_method to include saslauthd in your slapd.conf *sasl* config file to support it.
It works! Dan, THANKS! You really made my day!
As googling around reveals, people have been asking these same questions for the past five *years* so I think I owe to post my config below.
saslauthd.conf, starting the daemon with saslauthd -d -a ldap
ldap_servers: ldap://10.0.0.1/ ldap_start_tls: yes ldap_search_base: dc=intra
sasl2/slapd.conf (first line just to make sure slapd only uses its internal ldapdb)
auxprop_plugin: slapd pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
openldap/slapd.conf (relevant portions):
authz-regexp uid=([^,]*),cn=PLAIN,cn=auth uid=$1,ou=People,dc=intra
It always a bit depressing to see how things come together after wasting several days of one's life but at least I've finally got this part working and can continue on my merry way...
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ