Re: SASL/EXTERNAL not available

[Dieter Klünter <dieter@dkluenter.de>]

Am Mon, 31 Aug 2015 19:43:39 -0400
schrieb Frank Crow <fjcrow2008@gmail.com>:

> Hi,
> 
> I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use
> client-side certificates via the SASL/EXTERNAL mechanism.   I have
> successfully configured server-side certs with TLS and was wanting to
> expand my configuration on the client-side.
> 
> If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y
> EXTERNAL", I get the following message:
> 
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>               additional info: SASL (-4): no mechaism available:
> 
> 
> If I do a search on the DSE, I get the following available methods:
> 
> dn:
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: PLAIN
> 
> 
> I know that other people are using this but nobody (here at work)
> knows why my particular configuration is getting this error.   Can
> anyone help me figure this out?

It seems you have not initialised a TLS session, that is, either
startTLS
on port 389 or without starttls on secure port 636

ldapsearch -LLL -Y EXTERNAL -ZZ -H ldap://localhost -b "" -s base
supportedSASLMechanisms

SASL/EXTERNAL authentication started
SASL username: xxxxx
SASL SSF: 0
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E