ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

Fri Aug 15 23:56:48 EDT 2008

Dan, 
You are correct thank you! Don't know how I overlooked that on the
client.  I did not have the cyrus-sasl-gssapi package installed on the
clent.
Been a long week I guess although this is all pretty new to me. Once I
installed that I was able to search the directory using gssapi from the
client.

If you do not mind I have another question? I can not get an answer on
any lists but I think I am on the right track..
I have all my users in my openldap directory with their usernames or
uid's in the unix 8 character format of first initial of the first name
and then 7 characters of last name. So for example jmontana. These I
migrated from our NIS domain into the directory. I can authenticate
fine. The issue is the powers that be want everything joined to Active
Directory. The AD user account principals are in the format of
firstname_lastname or joe_montana. They do not match the naming format
of the ldap uid's. It is worth mentioning that if I rename the unix or
ldap uid to first_last I can login perfectly using kerberos credentials
but I would rather map the uids to stay consistent with unix naming
scheme..

I need to login and authenticate with the kerberos credentials and have
those map to the 8 character unix or ldap uid's.
Now the reason I wanted to use gssapi is because it mentions the use of
authz-regexp to map the authentication DN from the gssapi dn to a dn
existing in the directory unless I am misunderstanding.

When I issue an ldapwhoami, I get the following.
dn: uid=joe_montana,dc=gssapi,dc=auth ......

But an ldapwhoami should map to. 
uid=jmontana,ou=people,dc=example,dc=com ........

For logging in can cyrus-sasl-gssapi help me accomplish this? Or is it
more for service principals? Trying to understand.

Thank you for your time. I appreciate it.
James

-----Original Message-----
From: Dan White [mailto:dwhite at olp.net] 
Sent: Friday, August 15, 2008 6:46 PM
To: Chavez, James R.
Cc: cyrus-sasl at lists.andrew.cmu.edu
Subject: Re: ldap_sasl_interactive_bind_s: Unknown authentication method
(-6)

Dan White wrote:
> ldapsearch -x -H -LLL -s "base" -b "" supportedSASLMechanisms
>
> - Dan
That's a typo. should be:

ldapsearch -x -LLL -s "base" -b "" supportedSASLMechanisms

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.