I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use client-side certificates via the SASL/EXTERNAL mechanism.   I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side.

If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message:

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
              additional info: SASL (-4): no mechaism available:

If I do a search on the DSE, I get the following available methods:

supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN

I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error.   Can anyone help me figure this out?


Frank Crow