Hi OpenLDAP-Technical,
Thank you, OpenLDAP Project Team for slapo-remoteauth. It is much simpler to set up compared to SASL.
I have one comment relating to using "remoteauth_store on" and the possibility of being able to handle upstream password changes.
According to the manual, and confirmed by testing, slapo-remoteauth is only engaged when the userPassword value is not present. In order for upstream AD password changes to propagate when using "remoteauth_store on", it would seem to be very useful to also engage the overlay when the userPassword value is present and a simple BIND fails with err=49.
The downside of this would be high-frequency repeated err=49 BIND failures causing undesirable upstream load and lockouts, but perhaps this could be mitigated by limiting it to a configurable number of upstream failures before setting a value on some attribute say "remoteauth_enabled=False" to cause remoteauth to disengage entirely for the specific user until reset to True.
Thanks,