Apple client unable to login with LDAP backend and GSSAPI or PLAIN

I have a OpenLDAP server with Kerberos5 for authentication and on Linux/Unix/Windows environments I am able to login without a problem. The LDAP server is configured to use GSSAPI or PLAIN that passes trough SASL2 the password to PAM that authenticates against KERBEROS. This is due some server software do not support GSSAPI directly yet. On macOS (latest Monterey) I am able to get ID of the users and do ldapsearch (GSSAPI) in to the LDAP server. In ssh I have enabled GSSAPI login with cleaning of credentials and I have PAM auth set to yes.

It seem that the underlying Unix (BSD variant) works fine with LDAP but macOS overlay does something funny.

I have disabled all other authentication methods except GSSAPI and PLAIN with:

/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string <METHOD_NAME>" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/<servername>.plist

I discovered this discussion did not solve my problem.

It seems that Apple LDAP client for LOGIN tries to get Kerberos5 ticket with ldap user info instead of just user info (LOG):

CLIENT_NOT_FOUND: uid=foobar,ou=People,dc=foobarbar,dc [email protected] for krbtgt/[email protected], Client not found in Kerberos database

Any tips would be highly appreciated!

The reason for no connectivity to OpenLDAP - Apple is following:

In Directory utility the user to authenticate to LDAP server needs to be same that is defined in the OpenLDAP servers config root DSE - cn=config with:

olcAuthzRegexp = {0}uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=Users,dc=foo-bar,dc=com
And
olcAuthzRegexp = {1}uid=<user_from_directory_utility>,cn=[^,]*,cn=auth cn=admin,dc=foo-bar,dc=com

Also olcSaslSecProps needs to be: noanonymous,noplain,noactive