what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?
I'm trying to test SASL EXTERNAL to an AD server, which saying support EXTERNAL. the command I ran is: ldapwhoami -H ldap://example.com:389 -YEXTERNAL but it returned: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: what does this error message mean?
I already installed the necessary package, here is my dpkg return: ~$ dpkg -l | grep sasl ii libauthen-sasl-perl 2.1600-1 all Authen::SASL - SASL Authentication framework ii libsasl2-2:amd64 2.1.27~101-g0780600+dfsg-3ubuntu2 amd64 Cyrus SASL - authentication abstraction library ii libsasl2-dev 2.1.27~101-g0780600+dfsg-3ubuntu2 amd64 Cyrus SASL - development files for authentication abstraction library ii libsasl2-modules:amd64 2.1.27~101-g0780600+dfsg-3ubuntu2 amd64 Cyrus SASL - pluggable authentication modules ii libsasl2-modules-db:amd64 2.1.27~101-g0780600+dfsg-3ubuntu2 amd64 Cyrus SASL - pluggable authentication modules (DB) ii libsasl2-modules-gssapi-mit:amd64 2.1.27~101-g0780600+dfsg-3ubuntu2 amd64 Cyrus SASL - pluggable authentication modules (GSSAPI)
and I can run ldapwhoami with SASL GSSAPI against the above mentioned AD server successfully. the error seems the "EXTERNAL" is not even supported, is not about invalid credential. I also tried to created a new certificate with the server credential, and modified the .ldaprc to point to the new certificate. still does not work.
who can tell me how ?
Thanks ahead!
Peter
On 1/13/20 9:16 PM, Peter Sui wrote:
I'm trying to test SASL EXTERNAL to an AD server, which saying support EXTERNAL. the command I ran is: ldapwhoami -H ldap://example.com:389 http://example.com:389 -YEXTERNAL but it returned: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: what does this error message mean?
It means that SASL mechanism EXTERNAL cannot work in that context.
SASL/EXTERNAL uses whatever suitable authentication information is available at transport layer: Either the Unix peer credentials in case of ldapi:// or TLS client certs.
If you're not using one of the above SASL/EXTERNAL cannot work
Ciao, Michael.
Hi Michael, 1. If I want to use Unix peer credentials, I just need to specify the url as ldapi://... , and still use ldapwhoami command like: ldapwhoami -H ldapi://example.com:389 -YEXTERNAL right ? 2. what If I want to use TLS client certs, except we set the certificate file in the .ldaprc, do we still run the same ldapwhoami command, like: ldapwhoami -H ldap://example.com:389 -YEXTERNAL or ldapwhoami -H ldap://example.com:389 -YEXTERNAL -Z
Thanks!
Peter
On Mon, Jan 13, 2020 at 3:21 PM Michael Ströder michael@stroeder.com wrote:
On 1/13/20 9:16 PM, Peter Sui wrote:
I'm trying to test SASL EXTERNAL to an AD server, which saying support EXTERNAL. the command I ran is: ldapwhoami -H ldap://example.com:389 http://example.com:389 -YEXTERNAL but it returned: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: what does this error message mean?
It means that SASL mechanism EXTERNAL cannot work in that context.
SASL/EXTERNAL uses whatever suitable authentication information is available at transport layer: Either the Unix peer credentials in case of ldapi:// or TLS client certs.
If you're not using one of the above SASL/EXTERNAL cannot work
Ciao, Michael.
Am Mon, 13 Jan 2020 15:44:02 -0500 schrieb Peter Sui peters@qnext.com:
Hi Michael, 1. If I want to use Unix peer credentials, I just need to specify the url as ldapi://... , and still use ldapwhoami command like: ldapwhoami -H ldapi://example.com:389 -YEXTERNAL right ? 2. what If I want to use TLS client certs, except we set the certificate file in the .ldaprc, do we still run the same ldapwhoami command, like: ldapwhoami -H ldap://example.com:389 -YEXTERNAL or ldapwhoami -H ldap://example.com:389 -YEXTERNAL -Z
Thanks!
Peter
[...]
If authz-regexp is set correctly, it should be:
ldapwhoami -YEXTERNAL-H ldapi:///
-Dieter
--On Monday, January 13, 2020 9:57 PM +0100 Dieter Klünter dieter@dkluenter.de wrote:
If authz-regexp is set correctly, it should be:
ldapwhoami -YEXTERNAL-H ldapi:///
They specifically said they were trying to talk to an AD server with SASL/EXTERNAL.
Last I checked:
a) AD does not run on Linux b) AD does not support ldapi:/// since that requires a unix socket c) AD does not support authz-regexp
Their only option would be for certificate authentication, which would require them to then get the appropriate certs issued from the AD administrators, etc, and assuming the AD server actually is configured to allow cert authentication.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Dieter Klünter -
Michael Ströder -
Peter Sui -
Quanah Gibson-Mount