how to make sasl/external to work?

Asked by qmax on 2010-10-15

configuration of opendlap server supposes sasl/external authentification,
because there's no default users created during installation of openldap.

trying to do this i get an error:
qmax@astrum:~$ ldapsearch -Y EXTERNAL
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available:

what do i miss?

P.S.
ubuntu server 10.04 LTS

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openldap Edit question
Assignee:
No assignee Edit question
Solved by:
qmax
Solved:
2010-10-16
Last query:
2010-10-16
Last reply:
qmax (qwiglydee) said : #1

SASL/EXTERNAL only works with ldapi:/// connection

1. slapd should be configured to listen on local socket,
i.e. started with -h ldapi:///
in ubuntu it is configured in /etc/default/slapd:
SLAPD_SERVICES="ldapi:/// ..."

2. requests should connect to it via socket
ldapsearch -Y EXTERNAL -H ldapi:///
dfault connect method is configured in /etc/ldap/ldap.conf:
URI ldapi:///

Antonis Kanouras (akanouras) said : #2

SASL/EXTERNAL is supposed to be used with Kerberos authentication if I'm not mistaken.

In your case (connecting through the local socket) it behaves just as if had done an anonymous simple bind. I wouldn't count on this to keep working though.

In other words, you can either:

1. set up Kerberos properly
2. set up some other SASL method
3. use Simple Binds (ldapsearch -x)

to access your server.

By the way, you can set up many default options (such as the bind URI) in /etc/ldap/ldap.conf or ~/.ldap.conf .

Cheers,
Antonio