Re: SASL/EXTERNAL not available

[Dan White <dwhite@cafedemocracy.org>]

On 08/31/15 19:43 -0400, Frank Crow wrote:
> If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y
> EXTERNAL", I get the following message:
>
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>              additional info: SASL (-4): no mechaism available:
>
>
> If I do a search on the DSE, I get the following available methods:
>
> dn:
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: PLAIN

If you have a olcSaslAuxprops configured, verify it includes EXTERNAL.

Enable debugging on your client (e.g. -d -1), or enable logging on the
server, to verify you're properly authenticating with your client
certificate.

On 09/02/15 11:04 +0200, Dirk Kastens wrote:
> Hi Frank,
>
> if you want SASL to work, you need to have the cyrus-sasl libraries 
> installed. And slapd has to be compiled with sasl support:
>
> # rpm -qa | grep sasl
> cyrus-sasl-lib-2.1.23-8.el6.x86_64
> cyrus-sasl-2.1.23-8.el6.x86_64
> cyrus-sasl-plain-2.1.23-8.el6.x86_64
>
> # ldd /usr/sbin/slapd
> ...
>  libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000)
> ...

Based on his output, it's clear has those listed mechanisms properly
installed. The EXTERNAL mechanism requires no additional shared libraries,
other than the libsasl2 glue library.

--
Dan White