On 08/31/15 19:43 -0400, Frank Crow wrote:
If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available:
If I do a search on the DSE, I get the following available methods:
dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN
If you have a olcSaslAuxprops configured, verify it includes EXTERNAL.
Enable debugging on your client (e.g. -d -1), or enable logging on the server, to verify you're properly authenticating with your client certificate.
On 09/02/15 11:04 +0200, Dirk Kastens wrote:
Hi Frank,
if you want SASL to work, you need to have the cyrus-sasl libraries installed. And slapd has to be compiled with sasl support:
# rpm -qa | grep sasl cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64
# ldd /usr/sbin/slapd ... libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8152dbb000) ...
Based on his output, it's clear has those listed mechanisms properly installed. The EXTERNAL mechanism requires no additional shared libraries, other than the libsasl2 glue library.