I document the resolution here in the hope it may save others from
similar embarrassment.
Short form:
The ldapsearch error termination message:
user not found: unable to canonify user and get auxprops
meant, at least in this case, that the SASL password database
(/etc/ldap/sasl2/sasldb2) did not contain the userid specified by option
"-U".
This message is distinct from the message issued on a password error for
a userid that is present in the database:
authentication failure: client response doesn't match what
we generated (tried bogus)
TLDR:
My perplexity was caused by two reasonable (to me at least)
misconceptions that falsely reinforced each other:
1. "unable to canonify user" meant a problem more complex than simply
"user not found" in the SASL database itself.
2. Execution of a SASL AuthzRegexp LDAP lookup proved that the SASL user
password had been successfully checked (i.e., that a -U userid SASL
password is checked PRIOR to AuthzRegexp processing).
The root cause blunder: omitting the saslpasswd2 option "-f
/etc/ldap/sasl2/sasldb2" when creating the SASL userid. This created
the ID in /etc/sasldb2 instead. Verifying existence of the ID with
sasldblistusers2 (also forgetting option "-f", of course) confirmed that
the ID in question was present ... in the wrong place.
I apologize to the list for the mistaken post.
Bill Clay
