Thanks, I finally got it all running. The remaining issue had been the translation of the sasl name in sasl regexp. For some reason ldapdb does not include a domain cn tag, i.e. I'd expect: uid=uid,cn=domain,cn=method,cn=auth but I get uid=uid,cn=method,cn=auth is this for purpose, or a bug? Have fun, - lars.