I've got both oxTrust and CASA successfully logging in using email address instead of username!
YAY!
How?
Well I guessed that it must be possible, but that I'm hitting a case which lots of other people hit too, where it fails, but the failure case is one that the authors and frequent users of the product don't hit it.
So I took each step carefully and slowly and with lots of testing, and viola! it works!
I suspect the error condition arises when you don't do all the right steps at once. eg: if you change the primary key to mail, then reboot, then activate, then reboot - you end up in a fail state.
But if the primary key is uid, and the 'default authentication method' is already casa and tested and working, and this is a clean boot, and noone else is using the server - then you change the primary key from uid to email, save, activate, save, test ldap connection, reboot. wait. be patient. wait. now it works!
I'm not going to close this case immediately, even though for me it's fixed. I want to see if there is any official feedback on this.
I think the whole 'activate' thing is confusing and the necessity to use it when changing primary key from uid to mail is not documented and the reason why it's not activated for the default primary key as uid is also not documented.