I document the resolution here in the hope it may save others from similar embarrassment.
Short form:
The ldapsearch error termination message:
user not found: unable to canonify user and get auxprops
meant, at least in this case, that the SASL password database (/etc/ldap/sasl2/sasldb2) did not contain the userid specified by option "-U".
This message is distinct from the message issued on a password error for a userid that is present in the database:
authentication failure: client response doesn't match what we generated (tried bogus)
TLDR:
My perplexity was caused by two reasonable (to me at least) misconceptions that falsely reinforced each other:
1. "unable to canonify user" meant a problem more complex than simply "user not found" in the SASL database itself.
2. Execution of a SASL AuthzRegexp LDAP lookup proved that the SASL user password had been successfully checked (i.e., that a -U userid SASL password is checked PRIOR to AuthzRegexp processing).
The root cause blunder: omitting the saslpasswd2 option "-f /etc/ldap/sasl2/sasldb2" when creating the SASL userid. This created the ID in /etc/sasldb2 instead. Verifying existence of the ID with sasldblistusers2 (also forgetting option "-f", of course) confirmed that the ID in question was present ... in the wrong place.
I apologize to the list for the mistaken post.
Bill Clay