The way it's implemented is that it looks up for a password of an entry using this search filter : "uid=<your user>,<your baseSearchDN>"
so in your case, for a user named 'admin', and if your search base DN is "dc=example, dc=com", it's searching for the password of an entry which DN is "uid=admin,dc=example,dc=com". If your user name is a DN, then it will lookup for an entry like "uid=uid=admin, dc=example,dc=com,dc=example,dc=com"... Not likely to find the password :) Now, it may be a bit too rigid, and we can discuss a better way to handle such mechanisms, but that's another story. FYI, OpenLDAP uses some configuration to manage SASL auth : "Now, you should set the sasl-regexp directive in the slapd.conf file before starting the slapd daemon and testing the authentication. My slapd.conf file resides at /usr/local/etc/openldap: sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever This parameter is in the format of: uid=<username>,cn=<realm>,cn=<mech>,cn=auth The username is taken from sasl and inserted into the ldap search string in the place of $1" -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
