As I wrote in that old message (a bit less clearly:-), I wonder if both
the quoted text and the original authmeth DIGEST-MD5 text is too strict,
though I didn't know what to do about it at the time:
Formally, I imagine the server could regard <cn=Bob,...> and
<cn=bob,...> as different DIGEST-MD5 usernames which have the same
password: Since the username => password mapping in the example is
implemented in LDAP, the mapping has LDAP semantics.
For DIGEST-MD5, that would only work if the server stores the password
as plaintext so it can hash it with the username provided by the client.
It won't work if what the server stores is a hash of (password, DN,
realm).
I don't know the intent of either SASL or LDAP specs in this regard
though.