The EXTERNAL mechanism is used to perform authentication based on information that is available to the server outside of the LDAP session. At present, this is available only through SSL client authentication, in which case the information that the client's SSL certificate will be used to authenticate that client. As such, it is necessary to use SSL or StartTLS when communicating with the server, and a client certificate keystore must be available.
The EXTERNAL mechanism does not support any additional SASL options. In most cases, it can be requested using either --saslOption mech=EXTERNAL or --useSASLExternal. The following command demonstrates the use of SASL EXTERNAL authentication:
$ ldapsearch --hostname server.example.com --port 1636 --useSSL \ --keyStorePath /path/to/key.store --keyStorePasswordFile /path/to/key.store.pin \ --trustStorePath /path/to/trust.store --saslOption mech=EXTERNAL --baseDN "" \ --searchScope base "(objectClass=*)"
For more information, see Configuring SASL External Authentication.