[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL External : unknown authentication method

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: SASL External : unknown authentication method
From: Francois Beretti <francois.beretti@enatel.com>
Date: 12 May 2003 12:40:31 +0200
Cc: "'Liste OpenLDAP Software'" <openldap-software@OpenLDAP.org>
In-reply-to: <000d01c31866$5104dd70$0e01a8c0@CELLO>
References: <000d01c31866$5104dd70$0e01a8c0@CELLO>

Hello Howard

Le lun 12/05/2003 à 11:10, Howard Chu a écrit :

> > I get this error :
> >
> > [francois@linux-integ francois]$ ldapsearch -ZZ -Y EXTERNAL
> > ldap_sasl_interactive_bind_s: Unknown authentication method (86)
> >         additional info: SASL(-4): no mechanism available: No worthy
> > mechs found
> 
> Your debug log indicates that the server configuration is OK. The problem
> seems to be that the client is unable to use the EXTERNAL mechanism. The "No
> worthy mechs found" message usually means that the available mechanisms
> didn't provide strong enough security. Perhaps your SSL settings negotiated a
> cleartext cipher or some other weak encoding. Or the SSL session may be fine,
> but the information about the session could not be retrieved. Since you're
> using OpenSSL 0.9.6b, I'll note that I've run into certificate problems when
> client and server used different versions of the OpenSSL library, and
> versions less than 0.9.6e are all suspect.
> 
> Run the ldapsearch with debugging enabled and see what it's doing.

ok, that's what I get :


[francois@linux-integ francois]$ ldapsearch -ZZ -Y EXTERNAL -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP linux-integ.enatel.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.50.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=linux-integ.enatel.local
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: linux-integ.enatel.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon May 12 12:38:18 2003

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/DC=local/DC=enatel/CN=Certificate Authority, issuer:
/DC=local/DC=enatel/CN=Certificate Authority
TLS certificate verification: depth: 0, err: 0, subject:
/DC=local/DC=enatel/CN=linux-integ.enatel.local, issuer:
/DC=local/DC=enatel/CN=Certificate Authority
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
=> ldap_dn2bv(16)
<= ldap_dn2bv(CN=francois,OU=people,DC=enatel,DC=local,16)=0
ldap_interactive_sasl_bind_s: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_perror
ldap_sasl_interactive_bind_s: Unknown authentication method (86)
        additional info: SASL(-4): no mechanism available: No worthy
mechs found

I am unable to find any useful info, i would really appreciate your help
thanks !

Francois

> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: SASL External : unknown authentication method
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: SASL External : unknown authentication method
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: non-kerberos authentication against ldap server
Next by Date: RE: SASL External : unknown authentication method
Index(es):
- Chronological
- Thread