I'm trying to test SASL EXTERNAL to an AD server, which saying support EXTERNAL.
the command I ran is:
ldapwhoami -H ldap://example.com:389 -YEXTERNAL
but it returned: 
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
 additional info: SASL(-4): no mechanism available: 
what does this error message mean?

I already installed the necessary package, here is my dpkg return:
~$ dpkg -l | grep sasl
ii  libauthen-sasl-perl                   2.1600-1                                        all          Authen::SASL - SASL Authentication framework
ii  libsasl2-2:amd64                      2.1.27~101-g0780600+dfsg-3ubuntu2               amd64        Cyrus SASL - authentication abstraction library
ii  libsasl2-dev                          2.1.27~101-g0780600+dfsg-3ubuntu2               amd64        Cyrus SASL - development files for authentication abstraction library
ii  libsasl2-modules:amd64                2.1.27~101-g0780600+dfsg-3ubuntu2               amd64        Cyrus SASL - pluggable authentication modules
ii  libsasl2-modules-db:amd64             2.1.27~101-g0780600+dfsg-3ubuntu2               amd64        Cyrus SASL - pluggable authentication modules (DB)
ii  libsasl2-modules-gssapi-mit:amd64     2.1.27~101-g0780600+dfsg-3ubuntu2               amd64        Cyrus SASL - pluggable authentication modules (GSSAPI)

and I can run ldapwhoami with SASL GSSAPI against the above mentioned AD server successfully.
the error seems the "EXTERNAL" is not even supported, is not about invalid credential.  I also tried to created a new certificate with the server credential, and modified the .ldaprc to point to the new certificate. still does not work.

who can tell me how ?

Thanks ahead!

Peter