On Mon, Dec 17, 2012 at 12:46:17PM -0600, Dan White wrote:
Verify that your password, stored within userPassword, is in plain text (when uudecoded). I do not recommend attempting to use 'pwcheck_method: auprop-hashed' with the slapd auxprop.
I confirm it was the problem: using saslauthd it works fine.
Here is my setup for reference. It does not use EXTERNAL on ldapi:/// after all
/usr/pkg/etc/openldap/slapd.conf: authz-policy any authz-regexp uid=([^,]*),cn=(plain|login|otp|external),cn=auth ldap:///dc=example,dc=net??sub?(uid=$1)
/usr/pkg/lib/sasl2/slapd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux mech_list: PLAIN LOGIN
/usr/pkg/etc/saslauthd.conf ldap_servers: ldaps://ldap.example.net ldap_search_base: dc=example,dc=net ldap_use_sasl: no
saslauthd is built with LDAP support and is started as: saslauthd -a ldap
Testing without slapd: testsaslauthd -u someone -p password -s slapd
Now using authzid. In DIT: dn: uid=someone,dc=example,dc=net authzFrom: {0}dn:uid=manu,dc=example,dc=net
Everything is fine: $ ldapwhoami -Y PLAIN -X u:someone -U manu SASL/PLAIN authentication started Please enter your password: [manu's password] SASL username: u:someone SASL SSF: 0 dn:uid=someone,dc=example,dc=net