--On Monday, November 4, 2024 8:29 PM -0300 tmp 2810 t2810mp@gmail.com wrote:

Once again, I apologize; I ran so many tests that I accidentally copied one where the binddn was incorrect.

The target looks more like this:

## example.com uri             "ldaps://ldap.google.com/dc=proxy" suffixmassage   "dc=proxy" "dc=example,dc=com" lastmod  off readonly on idassert-bind   bindmethod=simple                         binddn="cn=ChiwewDaw"

cn, is by definition, case insensitive. If Google LDAP is forcing case sensitivity in this attribute, it is gross violation of the LDAP RFCs. However, having had to interface with it in the past, I don't believe that is the case. I would generally suspect that this is not the full DN of the user.

idassert-bind   bindmethod=sasl                         saslmech=EXTERNAL                         tls_reqcert=demand                         tls_reqsan=demand                         starttls=critical

This is not sufficient, please read the man page:

idassert-bind bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>] [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>] [authcId=<authentication ID>] [authzId=<authorization ID>] [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>] [starttls=no|yes|critical] [tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>] [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand] [tls_reqsan=never|allow|try|demand] [tls_cipher_suite=<ciphers>] [tls_ecname=<names>] [tls_protocol_min=<version>] [tls_crlcheck=none|peer|all]

You *must* specify tls_cert, tls_key, and tls_cacert as a part of idassert-bind as it provides the TLS identity to bind as. In your configuration for simple bind, tls_cert and tls_key are unnecessary as you're not doing SASL/EXTERNAL binds.

--Quanah