I need to be able to use the SASL EXTERNAL mechanism to bind to my LDAP directory server from a number of Perl programs (I’ve already written a bit about this mechanism before). After installing packages perl-Digest- HMAC, perl-Digest-SHA1 and perl-Net-SSLeay on Centos 4.3 with yum, I downloaded Authen-SASL from CPAN and ran the typical perl Makefile.PL; make; make test; make install, answering _N_o to the question regarding auto-install of GSSAPI. If you need to install the Perl modules manually, you’ll need at least the Digest-SHA1, Digest-HMAC, Net_SSLeay, IO-Socket-SSL, and Authen-SASL modules installed. The rest is quite easy:

    use strict;
    use Net::LDAPS;
    use Authen::SASL qw(Perl);           
    # LDAP connection to server.
    my $sasl = Authen::SASL->new('EXTERNAL');
    my $ldap = Net::LDAPS->new('localhost', 
        port => 636, 
        onerror => 'die',
       debug => 0,
       clientcert => "dadmin.crt",
       clientkey => "dadmin.key",
       verify => 'require',
       cafile => "ca.pem")  or die $!;
    my $dn = 'dc=example,dc=com';
    my $msg = $ldap->bind( $dn, 
           sasl => $sasl, version => 3 );
    $msg->code && bail(2, "Can't bind to directory: " . $msg->error);                                                                                                          

The client certificate and key are in the PEM formatted files crt and key respectively, and the root certificate is in ca.pem