During the migration of a production system from Solaris 10 to RedHat Enterprise Linux 5, I discovered that I had a problem with a couple of my LDAP scripts. The commands being run were standard ldapsearch and ldapmodify commands in a format similar to the following:
ldapsearch -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password cn=foobar
ldapmodify -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password -f updates.ldif
Each time I ran the commands I got the following error:
SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:
It turns out that the versions of the ldapsearch and ldapmodify commands that comes with RHEL5 are based on the standard OpenLDAP code. The OpenLDAP code defaults to expecting an SASL authentication mechansim on the server-side. Given that the LDAP server I am connecting to is a iPlanet 5.1 LDAP server, it is not configured to understand the SASL authentication types.
The solution is to add the -x option to the commands:
ldapsearch -x -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password cn=foobar
ldapmodiy -x -h hostname.domain.com -p 389 -b o=organisation -D cn=admin -w password -f updates.ldif
This command option specifies that the command should be executed using simple authentication instead of SASL.