Hi Quanah,
        Thank you for your response. I figured what you said in your response, and I have another question about the SASL. I have a ldap testing server, let's say the url is test.sample.net, and when I run the following command:
ldapsearch -H ldap://test.sample.net:389 -x -b "" -s base -LLL supportedSASLMechanisms
it returned:
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
then I run the command:
ldapsearch -H ldap://test.sample.net:389 -Y DIGEST-MD5
then it prompt:
SASL/DIGEST-MD5 authentication started
Please enter your password:
I give a password, then it prompt:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
 additional info: SASL(-13): user not found: no secret in database

so question here, what password it asked here? since it's not asking for a DN. There could be many credentials here, will the server figure out the user by the password input?

Thank you!

Peter

On Mon, Jan 6, 2020 at 8:17 PM Quanah Gibson-Mount <quanah@symas.com> wrote:


--On Tuesday, December 31, 2019 10:44 AM -0500 Peter Sui <peters@qnext.com>
wrote:

> if I run:
> ldapsearch -h ldap.forumsys.com -p 636 -b "" -s base "(objectClass=*)" -D
> "cn=read-only-admin,dc=example,dc=com"  -w password -Z 

It is not valid to combine startTLS with port 636.  Also, you should update
your options to match modern standards.


Example against ldaps:///

ldapsearch -H ldaps://ldap.forumsys.com:636

as opposed to

ldapsearch -h ldap.forumsys.com -p 636

Example against ldap:///

ldapsearch -H ldap://ldap.forumsys.com:389

as opposed to

ldapsearch -h ldap.forumsys.com -p 389


I would note that the -Z(Z) options are for startTLS (generally against
port 389).  It is not valid to mix startTLS with ldaps:// URIs.  You've not
provided any useful information about your setup, so it's not possible to
give you much help past that.

As for your SASL question, as documented in the ldapsearch man page, you
provide the SASL Mech as a parameter to the -Y option.  For example:

ldapsearch -Y GSSAPI -H ldap://ldap.forumsys.com:389

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>