[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL(-4): no mechanism available



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Robin SP Zhang

> Hi,
>       I want to use TLS to connect to LDAP server, but it failed.
> the debug info is
>
> ...
> TLS trace: SSL_connect:SSLv3 read finished A
> ldap_interactive_sasl_bind_s: user selected: EXTERNAL
> ldap_int_sasl_bind: EXTERNAL
> SASL/EXTERNAL authentication started
> ldap_perror
> ldap_sasl_interactive_bind_s: Unknown authentication method (86)
>         additional info: SASL(-4): no mechanism available:
>
> I traced the routine, and found that it is failed because  auth_id of
> external
> is NULL, auth_id seems come from certificate, then I found that
> SSL_get_certificate return NULL in tls.c, so I doubted that
> my configuration about TLS client has some error.
> I configure it in ldap.conf as
>
> TLS_CACERT 		E:\\OpenLDAP\\SYSCONF\\server.pem
> SASL_SECPROPS none
>
> Is it right ? or I created a wrong certificate?

The SASL/EXTERNAL mechanism is only for use when you want to authenticate
with a client certificate. If all you want is to use TLS with a
password-based login, then you should not be using SASL/EXTERNAL. If you want
to login with SASL/EXTERNAL, you need to create a client certificate and add
its location to your .ldaprc file.

Read the Admin Guide, it's already explained there.
http://www.openldap.org/doc/admin21/


  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support