-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
> From this page:
http://www.hut.fi/cc/docs/kerberos/nss_ldap.html
it seems that Openldap is not using the negotiated SASL buffer size
correctly.
You should read more carefully. That page states:
This is also a feature with Active Directory: large queries with SASL
will fail because Active Directory is not using the negotiated buffer size
correctly.
<<<
The problem is with Active Directory, not OpenLDAP. Active Directory
completely ignores the negotiated buffer size and writes as much as it
wants into a single SASL buffer. This is a well known problem. There are
no workarounds, go complain to Microsoft for a fix. Older versions of
Cyrus SASL have a related bug that exacerbates the problem; they restrict
the buffer size to 0xffff max when the SASL protocol dictates a max of
0xffffff. I believe this has been fixed as of Cyrus 2.1.7.