This is a commonly-used command, and has a fairly simple syntax e.g.
ldapsearch -h hostname.domain.com cn=foobar
or: -
ldapsearch -h hostname.domain.com -b o=organisation cn=foobar
or: -
ldapsearch -h hostname.domain.com -b o=organisation -D cn=admin -w password cn=foobar
However, I kept seeing the error: -
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
After a quick Google search, it appears that that the LDAPSearch command that I was using is based upon the OpenLDAP product, which defaults to using an authentication mechanism called Simple Authentication and Security Layer (SASL).
Therefore, the LDAPSearch command was expecting to find a SASL-enabled server at the other end - given that I wasn't using OpenLDAP as a server ( I was actually using Domino LDAP ), the trick was to disable the SASL authentication on the client, using the -X switch e.g.
ldapsearch -x -h hostname.domain.com cn=foobar
or: -
ldapsearch -x -h hostname.domain.com -b o=organisation -D cn=admin -w password cn=foobar
Thanks to this blog post for the answer.
You just saved my bacon. :-)
ReplyDeleteHi Mike, awesome, glad to hear it, I often search back through my own blog to find stuff that I've learnt, and then forgotten, in the past :-)
ReplyDeleteThanks. This is useful.
ReplyDeletethank you so much!! saved me hours worth of headache!
ReplyDelete@Umair - thanks for the update
ReplyDeleteSame here. Simple solution to a potentially headache-inducing issue. Thanks!
ReplyDeleteGreat tip - thanks!
ReplyDeleteSaved me too! Many thanks!
ReplyDeleteMy situation: doing an ldapsearch from MacOSX to a Tivoli Directory Service LDAP server running on z/OS
a small parameter causing a big issue. this helped me saving much time. Thank you!
ReplyDelete@Marc - no problems, glad to be of service :-)
ReplyDelete@EdGore, daft question, but check that you're specifying the correct host name or IP address, and port number, for LDAPSearch. Also, if you're using LDAP-over-SSL, then there's more work to be done before you can connect, regards, Dave
ReplyDeleteyour post is still going strong! thanks for your expertise!!!!
ReplyDelete@esb.b4u - always glad to help :-)
ReplyDelete@edgore: I too saw the "can't contact LDAP server (-1)" error until I started referring to the DC by IP. Not sure why DNS wasn't sufficient in this case.
ReplyDeleteThank you, Dave, for the help!
@Nelson - glad to be of assistance.
ReplyDeleteThanks a lot!
ReplyDeleteThis post has been here since 2009 and it's still saving people from headaches. This approach worked for me when trying to connect to a Microsoft Active Directory server.
ReplyDeleteThanks Dave.
@Gold - glad to be of assistance, cheers, Dave
ReplyDeleteThanks! This helped me too:)
ReplyDeleteIt works now! Thx
ReplyDeleteThank you. This helped me lots!!
ReplyDeleteDaniel, great news, glad to be of assistance :-) Dave
ReplyDeleteThanks alot
ReplyDelete...it worked for me....
Manohar kusa from India...
Hi,
ReplyDeletethe LDAP server I am working on doesn't support simple bind it supports DIGEST-MD5.So I am using this command "ldapsearch -h hostname -p389 -Y DIGEST-MD5 -X () -R=dc=example,dc=com.
but I am getting the same error. Any advice on this will be appreciated.
Hi Robert
ReplyDeleteHmmm, I've not worked with an LDAP that offers that particular authentication mechanism, but there does appear to be experience of similar issues out there, including this: -
https://serverfault.com/questions/744050/how-to-get-sasl-authentication-to-work-with-digest-md5-for-openldap
Sorry to not be of much use :-(
Dave