Thursday, 27 August 2009

Error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" on a LDAPSearch command ...

Whilst building my mega Connections / Domino / Portal / Quickr / Sametime / WCM environment recently, I was using the LDAPSearch command that's available with many Unix installations, including Red Hat Enterprise Linux and Apple OSX.

This is a commonly-used command, and has a fairly simple syntax e.g.

ldapsearch -h hostname.domain.com cn=foobar

or: -

ldapsearch -h hostname.domain.com -b o=organisation cn=foobar

or: -

ldapsearch -h hostname.domain.com -b o=organisation -D cn=admin -w password cn=foobar

However, I kept seeing the error: -

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: 

After a quick Google search, it appears that that the LDAPSearch command that I was using is based upon the OpenLDAP product, which defaults to using an authentication mechanism called Simple Authentication and Security Layer (SASL).

Therefore, the LDAPSearch command was expecting to find a SASL-enabled server at the other end - given that I wasn't using OpenLDAP as a server ( I was actually using Domino LDAP ), the trick was to disable the SASL authentication on the client, using the -X switch e.g.

ldapsearch -x -h hostname.domain.com cn=foobar

or: -

ldapsearch -x -h hostname.domain.com -b o=organisation -D cn=admin -w password cn=foobar

Thanks to this blog post for the answer.

27 comments:

Mike Howell said...

You just saved my bacon. :-)

Dave Hay said...

Hi Mike, awesome, glad to hear it, I often search back through my own blog to find stuff that I've learnt, and then forgotten, in the past :-)

Pankaj Jangid said...

Thanks. This is useful.

Unknown said...

thank you so much!! saved me hours worth of headache!

Dave Hay said...

@Umair - thanks for the update

Rocketman said...

Same here. Simple solution to a potentially headache-inducing issue. Thanks!

Joshua Davies said...

Great tip - thanks!

Unknown said...

Saved me too! Many thanks!

My situation: doing an ldapsearch from MacOSX to a Tivoli Directory Service LDAP server running on z/OS

E said...

Thanks!

FlyingMG said...

a small parameter causing a big issue. this helped me saving much time. Thank you!

Dave Hay said...

@Marc - no problems, glad to be of service :-)

edgore said...

I am trying this (for the first time) and while your advice above got me past the -6 error now I am getting ldap_sasl_interactive_bind_s:can't contact LDAP server (-1). I have no problem contacting the server through other means (LDAP Browser, etc) anonymously so I am not sure what is going on here - I can definately reach the server, so I assume I am doing something else wrong...

Dave Hay said...

@EdGore, daft question, but check that you're specifying the correct host name or IP address, and port number, for LDAPSearch. Also, if you're using LDAP-over-SSL, then there's more work to be done before you can connect, regards, Dave

esb.b4u said...

your post is still going strong! thanks for your expertise!!!!

Dave Hay said...

@esb.b4u - always glad to help :-)

Nelson Sproul said...

@edgore: I too saw the "can't contact LDAP server (-1)" error until I started referring to the DC by IP. Not sure why DNS wasn't sufficient in this case.

Thank you, Dave, for the help!

Dave Hay said...

@Nelson - glad to be of assistance.

Unknown said...

Thanks a lot!

CMDR Unifex said...

This post has been here since 2009 and it's still saving people from headaches. This approach worked for me when trying to connect to a Microsoft Active Directory server.

Thanks Dave.

Dave Hay said...

@Gold - glad to be of assistance, cheers, Dave

Boris Epstein said...

Thanks! This helped me too:)

Jan-Wolter said...

It works now! Thx

Unknown said...

Thank you. This helped me lots!!

Dave Hay said...

Daniel, great news, glad to be of assistance :-) Dave

Unknown said...

Thanks alot
...it worked for me....

Manohar kusa from India...

Robert said...

Hi,
the LDAP server I am working on doesn't support simple bind it supports DIGEST-MD5.So I am using this command "ldapsearch -h hostname -p389 -Y DIGEST-MD5 -X () -R=dc=example,dc=com.
but I am getting the same error. Any advice on this will be appreciated.

Dave Hay said...

Hi Robert

Hmmm, I've not worked with an LDAP that offers that particular authentication mechanism, but there does appear to be experience of similar issues out there, including this: -

https://serverfault.com/questions/744050/how-to-get-sasl-authentication-to-work-with-digest-md5-for-openldap

Sorry to not be of much use :-(

Dave

Grokking grep

A colleague was tinkering with grep  and, thanks to him, I discovered a bit more about the trusty little utility. I had not really explored ...