I defined:
     ldap_mech: PLAIN

I am new at LDAP , that is obvious I guess.  But, I've been around Unix for 30 years.

This is the latest output from saslauthd in debug mode :

saslauthd[19271] :main            : num_procs  : 5
saslauthd[19271] :main            : mech_option: NULL
saslauthd[19271] :main            : run_path   : /var/run/saslauthd
saslauthd[19271] :main            : auth_mech  : ldap
saslauthd[19271] :ipc_init        : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[19271] :detach_tty      : master pid is: 0
saslauthd[19271] :ipc_init        : listening on socket: /var/run/saslauthd/mux
saslauthd[19271] :main            : using process model
saslauthd[19271] :have_baby       : forked child: 19272
saslauthd[19271] :have_baby       : forked child: 19273
saslauthd[19271] :have_baby       : forked child: 19274
saslauthd[19271] :have_baby       : forked child: 19275
saslauthd[19271] :get_accept_lock : acquired accept lock
saslauthd[19271] :rel_accept_lock : released accept lock
saslauthd[19272] :get_accept_lock : acquired accept lock
ldap_sasl_interactive_bind: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP  182.19.136.42:389
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying  182.19.136.42:389
ldap_pvt_connect: fd: 10 tm: 10 async: 0
ldap_ndelay_on: 10
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 10 tm: 10
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
ldap_int_sasl_open: host=182.19.136.42
ldap_msgfree
ldap_err2string
ldap_unbind
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_create
ldap_url_parse_ext(ldap:// 182.19.136.42:389)
ldap_sasl_interactive_bind: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP  182.19.136.42:389
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying  182.19.136.42:389
ldap_pvt_connect: fd: 10 tm: 10 async: 0
ldap_ndelay_on: 10
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 10 tm: 10
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
ldap_int_sasl_open: host=182.19.136.42
ldap_msgfree
ldap_err2string
saslauthd[19271] :do_auth         : auth failure: [user=testuser] [service=slapd] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[19271] :do_request      : response: NO


Tim


On Thu, Dec 31, 2015 at 10:29 AM, Dan White <dwhite@cafedemocracy.org> wrote:
On 12/17/15 18:32 -0600, Timothy Keith wrote:
We are attempting to set up an LDAP server which will answer queries
from an application. The database will contain metadata on a set of
users in the application. The application will also query the server
to authenticate the user’s password, however, this server will not
house the password. That resides on another server, which our server
will query.   We do not have administrative rights to the other
server.

The difficulty we are having now is setting up the pass-through
authentication for the passwords. Any pointers in how to proceed with
this would be greatly appreciated.

On 12/21/15 17:24 -0600, Timothy Keith wrote:
We have limited access to the servers.  Same company, different IT
organization.   Our LDAP requirement must be transparent to those servers.
We want to inherit the LDAP directory information from the Unix servers -
mostly the user Id and passwords, and add information that is needed  by
applications that our servers will manage.

On 12/31/15 09:51 -0600, Timothy Keith wrote:
On Wed, Dec 30, 2015 at 7:04 PM, Dan White <dwhite@cafedemocracy.org> wrote:
On 12/30/15 18:51 -0600, Timothy Keith wrote:

This is tail of the latest saslauthd debug  output :

ldap_sasl_interactive_bind: user selected: DIGEST-MD5


res_errno: 7, res_error: <SASL(-4): no mechanism available: >, res_matched:
<>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: DIGEST-MD5
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_msgfree
ldap_err2string


Is DIGEST-MD5 available on your ldap server? Try:

ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b ""
supportedSASLMechanisms
Which should list the advertised sasl mechanisms.

Verify the digest-md5 mechanism is installed with
saslpluginviewer/pluginviewer.

Dan, that ldapsearch returns :
dn:
supportedSASLMechanisms: PLAIN

The server is only offering the PLAIN mechanism to you. It appears you're
using saslauthd's ldap backend, and have explicitly configured 'ldap_mech:
digest-md5' in your corresponding config. If that's correct, you could
change that to PLAIN instead.

Consider protecting the bind with tls if available.

slapo-pbind may be a simpler alternative (to pass-through sasl
authentication), depending on the specifics of your setup.

--
Dan White