Hi Dan,

OK, I got things working. Thank you for your patience!

...

What DN would I use for simple authentication? Maybe Thunderbird cannot perform a SASL BIND?

It seems Thunderbird only performs a simple bind.

For simple authentication, you'd need to specify the DN of an entry within your LDAP tree.

This statement helped me put it all together.

Another missing piece for me was the userPassword attribute. I didn't realize that it was to be part of an entry (for some reason, I thought it was a slapd.conf parameter). I added this entry for the users who I want to allow to authenticate.

It is acceptable to me to bind against the full dn of users entry, so I bind against this:

cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org

The userPassword attribute is set to:

userPassword: {SASL}erik

So now, simple binds work now:

erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -D 'cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org' -W Enter LDAP Password: dn:cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org

For SASL binds, it also works:

erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -U erik -W Enter LDAP Password: SASL/PLAIN authentication started SASL username: erik SASL SSF: 0 dn:uid=erik,cn=plain,cn=auth

Looking through the Admin guide, I decided on a set of rules that seem to accomplish what I want:

access to attrs=userPassword by self =xw by anonymous auth by * none

access to * by self write by users write by * none

Again, thanks for your help. I learned a lot -- I believe I know enough now to make better sense of the Admin guide.

Regards,

Erik