Hi Michael, 1. If I want to use Unix peer credentials, I just need to specify the url as ldapi://... , and still use ldapwhoami command like: ldapwhoami -H ldapi://example.com:389 -YEXTERNAL right ? 2. what If I want to use TLS client certs, except we set the certificate file in the .ldaprc, do we still run the same ldapwhoami command, like: ldapwhoami -H ldap://example.com:389 -YEXTERNAL or ldapwhoami -H ldap://example.com:389 -YEXTERNAL -Z
Thanks!
Peter
On Mon, Jan 13, 2020 at 3:21 PM Michael Ströder michael@stroeder.com wrote:
On 1/13/20 9:16 PM, Peter Sui wrote:
I'm trying to test SASL EXTERNAL to an AD server, which saying support EXTERNAL. the command I ran is: ldapwhoami -H ldap://example.com:389 http://example.com:389 -YEXTERNAL but it returned: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: what does this error message mean?
It means that SASL mechanism EXTERNAL cannot work in that context.
SASL/EXTERNAL uses whatever suitable authentication information is available at transport layer: Either the Unix peer credentials in case of ldapi:// or TLS client certs.
If you're not using one of the above SASL/EXTERNAL cannot work
Ciao, Michael.