Hello, I have been working on extending an application that searches LDAP server with Kerberos support. I can now bind and then search using the following mechanism:
- Simple Bind - Simple Bind with TLS - Kerberos Bind I am having issues when I have Kerberos bind and TLS turned on. I can see the the Kerberos ticket established, the SASL bind to the LDAP server complete, but the LDAP search failing as the message cannot be parsed by the server. I use the following open source libraries: - OpenLDAP - Cyrus SASL - OpenSSL - Heimdal In my debugging, I noticed that there are different writers that are installed in the chain. I turned on debugging, and hence I see these writers called in the order listed: - simple with TLS: sb_debug_write() -> tlso_sb_write() -> sb_debug_write() -> sb_stream_write() - Kerberos Bind: sb_debug_write() -> sb_sasl_generic_write() -> sb_debug_write() -> sb_stream_write() - Kerberos + TLS: sb_debug_write() -> sb_sasl_generic_write() -> sb_debug_write() -> tlso_sb_write() -> sb_debug_write() -> sb_stream_write() Is this a use case that is supposed to work? What could I be missing? Thanks! Kris
