[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?

To: Michael Ströder <michael@stroeder.com>
Subject: Re: what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?
From: Peter Sui <peters@qnext.com>
Date: Mon, 13 Jan 2020 15:44:02 -0500
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qnext-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rzJDL0igBROGPwj1XE75wAA9Cyw2g1WcsxDThX4897U=; b=AOOqZbMdDzcnZfHj/03vjcq8Phqa7oo6EXRVP+GRzs1fLad57uNntIrQki4Yl2or4W p6Xwpqky3zR36kHpElzFq4mmba/kmZRkWILiNnFo2EKJjzJckR1qNeFJOhvAhqGJ1vGt qNzWKYXsjsdm3n4Z3e0hldgMifDo9NDeSfcGJSwEGmrtMxeWFlbP6HiVNzPdA0GmdJRI Iw181frouyRStrQPf1d4McP9fBw2jsE6RNkhR2Rbhe3VAyu8G9AAWSmfzek9+7Mz4/c9 7uXeggqagDPdwaaUamv2lYwudMEeXJ0wKJSp5jcUmOI/KC9XOvT29XEXDPJEwpLDIp0C eprg==
In-reply-to: <b1ee15bb-8c55-1814-e5c2-4e601fff13a3@stroeder.com>
References: <CAKVbK+p1Up9jxOk0hN=ihb7yf0QBbD_Xf0Y5=Db1u3Q98+j1Jg@mail.gmail.com> <b1ee15bb-8c55-1814-e5c2-4e601fff13a3@stroeder.com>

Hi Michael,

1. If I want to use Unix peer credentials, I just need to specify the url as ldapi://... , and still use ldapwhoami command like:

ldapwhoami -H ldapi://example.com:389 -YEXTERNAL

right ?

2. what If I want to use TLS client certs, except we set the certificate file in the .ldaprc, do we still run the same ldapwhoami command, like:

ldapwhoami -H ldap://example.com:389 -YEXTERNAL

ldapwhoami -H ldap://example.com:389 -YEXTERNAL -Z

Thanks!

Peter

On Mon, Jan 13, 2020 at 3:21 PM Michael Ströder <michael@stroeder.com> wrote:

On 1/13/20 9:16 PM, Peter Sui wrote:
> I'm trying to test SASL EXTERNAL to an AD server, which saying support
> EXTERNAL.
> the command I ran is:
> ldapwhoami -H ldap://example.com:389 <http://example.com:389> -YEXTERNAL
> but it returned:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> what does this error message mean?

It means that SASL mechanism EXTERNAL cannot work in that context.

SASL/EXTERNAL uses whatever suitable authentication information is
available at transport layer: Either the Unix peer credentials in case
of ldapi:// or TLS client certs.

If you're not using one of the above SASL/EXTERNAL cannot work

Ciao, Michael.

Follow-Ups:
- Re: what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?
  - From: Dieter Klünter <dieter@dkluenter.de>

References:
- what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?
  - From: Peter Sui <peters@qnext.com>
- Re: what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Antw: Re: Replication of olcAccess
Next by Date: Re: what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?
Index(es):
- Chronological
- Thread