--On Monday, November 4, 2024 8:29 PM -0300 tmp 2810 <t2810mp@gmail.com>
wrote:

> Once again, I apologize; I ran so many tests that I accidentally copied
> one where the binddn was incorrect.
>
> The target looks more like this:
>
>## example.com
> uri             "ldaps://ldap.google.com/dc=proxy"
> suffixmassage   "dc=proxy" "dc=example,dc=com"
> lastmod  off
> readonly on
> idassert-bind   bindmethod=simple
>                         binddn="cn=ChiwewDaw"

cn, is by definition, case insensitive. If Google LDAP is forcing case
sensitivity in this attribute, it is gross violation of the LDAP RFCs.
However, having had to interface with it in the past, I don't believe that
is the case.  I would generally suspect that this is not the full DN of the
user.

> idassert-bind   bindmethod=sasl
>                         saslmech=EXTERNAL
>                         tls_reqcert=demand
>                         tls_reqsan=demand
>                         starttls=critical


This is not sufficient, please read the man page:


       idassert-bind    bindmethod=none|simple|sasl    [binddn=<simple
DN>]
              [credentials=<simple    password>]    [saslmech=<SASL
mech>]
              [secprops=<properties>] [realm=<realm>]
[authcId=<authentication
              ID>]  [authzId=<authorization  ID>]
[authz={native|proxyauthz}]
              [mode=<mode>]     [flags=<flags>]
[starttls=no|yes|critical]
              [tls_cert=<file>]      [tls_key=<file>]
[tls_cacert=<file>]
              [tls_cacertdir=<path>]
[tls_reqcert=never|allow|try|demand]
              [tls_reqsan=never|allow|try|demand]
[tls_cipher_suite=<ciphers>]
              [tls_ecname=<names>]
[tls_protocol_min=<version>]
              [tls_crlcheck=none|peer|all]


You *must* specify tls_cert, tls_key, and tls_cacert as a part of
idassert-bind as it provides the TLS identity to bind as.  In your
configuration for simple bind, tls_cert and tls_key are unnecessary as
you're not doing SASL/EXTERNAL binds.

--Quanah