This is a commonly-used command, and has a fairly simple syntax e.g.
ldapsearch -h hostname.domain.com cn=foobar
or: -
ldapsearch -h hostname.domain.com -b o=organisation cn=foobar
or: -
ldapsearch -h hostname.domain.com -b o=organisation -D cn=admin -w password cn=foobar
However, I kept seeing the error: -
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
After a quick Google search, it appears that that the LDAPSearch command that I was using is based upon the OpenLDAP product, which defaults to using an authentication mechanism called Simple Authentication and Security Layer (SASL).
Therefore, the LDAPSearch command was expecting to find a SASL-enabled server at the other end - given that I wasn't using OpenLDAP as a server ( I was actually using Domino LDAP ), the trick was to disable the SASL authentication on the client, using the -X switch e.g.
ldapsearch -x -h hostname.domain.com cn=foobar
or: -
ldapsearch -x -h hostname.domain.com -b o=organisation -D cn=admin -w password cn=foobar
Thanks to this blog post for the answer.
25 comments:
You just saved my bacon. :-)
Hi Mike, awesome, glad to hear it, I often search back through my own blog to find stuff that I've learnt, and then forgotten, in the past :-)
Thanks. This is useful.
thank you so much!! saved me hours worth of headache!
@Umair - thanks for the update
Same here. Simple solution to a potentially headache-inducing issue. Thanks!
Great tip - thanks!
Saved me too! Many thanks!
My situation: doing an ldapsearch from MacOSX to a Tivoli Directory Service LDAP server running on z/OS
a small parameter causing a big issue. this helped me saving much time. Thank you!
@Marc - no problems, glad to be of service :-)
@EdGore, daft question, but check that you're specifying the correct host name or IP address, and port number, for LDAPSearch. Also, if you're using LDAP-over-SSL, then there's more work to be done before you can connect, regards, Dave
your post is still going strong! thanks for your expertise!!!!
@esb.b4u - always glad to help :-)
@edgore: I too saw the "can't contact LDAP server (-1)" error until I started referring to the DC by IP. Not sure why DNS wasn't sufficient in this case.
Thank you, Dave, for the help!
@Nelson - glad to be of assistance.
Thanks a lot!
This post has been here since 2009 and it's still saving people from headaches. This approach worked for me when trying to connect to a Microsoft Active Directory server.
Thanks Dave.
@Gold - glad to be of assistance, cheers, Dave
Thanks! This helped me too:)
It works now! Thx
Thank you. This helped me lots!!
Daniel, great news, glad to be of assistance :-) Dave
Thanks alot
...it worked for me....
Manohar kusa from India...
Hi,
the LDAP server I am working on doesn't support simple bind it supports DIGEST-MD5.So I am using this command "ldapsearch -h hostname -p389 -Y DIGEST-MD5 -X () -R=dc=example,dc=com.
but I am getting the same error. Any advice on this will be appreciated.
Hi Robert
Hmmm, I've not worked with an LDAP that offers that particular authentication mechanism, but there does appear to be experience of similar issues out there, including this: -
https://serverfault.com/questions/744050/how-to-get-sasl-authentication-to-work-with-digest-md5-for-openldap
Sorry to not be of much use :-(
Dave
Post a Comment