Hi Michael,
1. If I want to use Unix peer credentials, I just need to specify
the url as ldapi://... , and still use ldapwhoami command like:
ldapwhoami -H ldapi://example.com:389 -YEXTERNAL
right ?
2. what If I want to use TLS client certs, except we set the
certificate file in the .ldaprc, do we still run the same ldapwhoami
command, like:
ldapwhoami -H ldap://example.com:389 -YEXTERNAL
or
ldapwhoami -H ldap://example.com:389 -YEXTERNAL -Z
Thanks!
Peter
On Mon, Jan 13, 2020 at 3:21 PM Michael Ströder <[email protected]>
wrote:
> On 1/13/20 9:16 PM, Peter Sui wrote:
> > I'm trying to test SASL EXTERNAL to an AD server, which saying support
> > EXTERNAL.
> > the command I ran is:
> > ldapwhoami -H ldap://example.com:389 <http://example.com:389> -YEXTERNAL
> > but it returned:
> > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > additional info: SASL(-4): no mechanism available:
> > what does this error message mean?
>
> It means that SASL mechanism EXTERNAL cannot work in that context.
>
> SASL/EXTERNAL uses whatever suitable authentication information is
> available at transport layer: Either the Unix peer credentials in case
> of ldapi:// or TLS client certs.
>
> If you're not using one of the above SASL/EXTERNAL cannot work
>
> Ciao, Michael.
>
