Ferenc Wagner wrote:
You do not "logon", you use external authentication, which means there's no separate BIND step,
Strictly speaking this is not correct because indeed a separate SASL/EXTERNAL bind request is sent by the client.
External authenication is not done by slapd (hence its name; it's done by the kernel in the above case), thus slapd can't fail it.
slapd indeed extracts the Unix peer credentials, which are provided by the OS, only in case it receives a SASL/EXTERNAL bind request over LDAPI.
In summary that's probably what you meant but let us be more precise because it makes a difference when looking at LDAP client support.
Ciao, Michael.