mkdir -p /var/local/chroot/ldap-sasldb-bug debootstrap sid /var/local/chroot/ldap-sasldb-bug chroot /var/local/chroot/ldap-sasldb-bug mount proc /proc -t proc /etc/init.d/rsyslog start aptitude update aptitude dist-upgrade aptitude install less vim locales sasl2-bin libsasl2-modules ldap-utils dpkg-reconfigure locales select: en_US.UTF-8 UTF-8 sed -i 's/127.0.0.1.*/127.0.0.1 ldap.example.com ldap localhost/' /etc/hosts echo "ldap" > /etc/hostname hostname -F /etc/hostname aptitude install slapd cat >> /etc/ldap/slapd.conf << EOF authz-regexp gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=admin,dc=example,dc=com authz-regexp uid=([^,]+),cn=([^,]+),cn=auth ldap:///ou=people,dc=example,dc=com??one?(uid=\$1) EOF /etc/init.d/slapd restart root@ldap:/# ldapwhoami -H ldapi:/// -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=admin,dc=example,dc=com root@ldap:/# sed -i 's/^#BASE.*/BASE dc=example,dc=com/' /etc/ldap/ldap.conf sed -i 's/^#URI.*/URI ldapi:\/\/\//' /etc/ldap/ldap.conf echo "SASL_MECH EXTERNAL" > /root/.ldaprc ldapadd << EOF dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Groups dn: uid=jsmith@example.com,ou=people,dc=example,dc=com uid: jsmith@example.com uidNumber: 1371123675 gidNumber: 1260883194 homeDirectory: /home/jsmith@olp.net loginShell: /bin/bash shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowExpire: -1 gecos: jsmith@example.com objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: jsmith@example.com userPassword: disabled EOF ldapwhoami -Y DIGEST-MD5 -U jsmith@example.com entered 'disabled' saslpasswd2 -c jsmith@example.com entered 'thegoodword' adduser openldap sasl echo "auxprop_plugin: sasldb" > /usr/lib/sasl2/slapd.conf /etc/init.d/slapd restart 'thegoodword' fails. 'disabled' works. Set: sasl-auxprops sasldb in /etc/ldap/slapd.conf, and restart slapd ldapwhoami -Y DIGEST-MD5 -U jsmith@example.com 'disabled' failed, 'thegoodword' worked.