My application needs to allow people to use their web browsers to access a web server over the Internet to update their LDAP identity details on OpenLDAP. In effect, slapd's client would be the web server acting on behalf of the end user. It looks to me as though a good way of doing this would be proxy authorization to slapd. In other words, the web server would authenticate to slapd using a "service account" and authorize as the end user. After that, the web server could update the end user's details on slapd. It makes sense that all the end user's information - including his credentials - should be stored in the directory.
After 50 or more hours research on the Internet, including reading scores of posts on this forum, reading the man pages for OpenLDAP and Cyrus SASL and actually trying various configurations, I am left with few options. OpenLDAP uses SASL for proxy authorization. If SASL is to use LDAP identities and credentials, it looks as though it needs to use SASLAUTHD.
If necessary, I will go down this path, but it does look a little circuitous. Are there any alternatives which satisfy the following criteria:
1. Allows web server to act on behalf of end user (impersonation, proxy authorization, pass-through of credentials)
2. Allows the directory - and preferably the user's entry in the directory - to be the single store for user information, including credentials.
3. Minimizes complexity.
My fantasy is that OpenLDAP could handle proxy authorization without the need for an external daemon which itself has to authenticate to slapd.