Hello,
I have been working on extending an application that searches LDAP server with Kerberos support. I can now bind and then search using the following mechanism:
- Simple Bind
- Simple Bind with TLS
- Kerberos Bind
I am having issues when I have Kerberos bind and TLS turned on.
I can see the the Kerberos ticket established, the SASL bind to the LDAP server complete, but the LDAP search failing as the message cannot be parsed by the server.
I use the following open source libraries:
- OpenLDAP
- Cyrus SASL
- OpenSSL
- Heimdal
In my debugging, I noticed that there are different writers that are installed in the chain. I turned on debugging, and hence I see these writers called in the order listed:
- simple with TLS: sb_debug_write() -> tlso_sb_write() -> sb_debug_write() -> sb_stream_write()
- Kerberos Bind: sb_debug_write() -> sb_sasl_generic_write() -> sb_debug_write() -> sb_stream_write()
- Kerberos + TLS: sb_debug_write() -> sb_sasl_generic_write() -> sb_debug_write() -> tlso_sb_write() -> sb_debug_write() -> sb_stream_write()
Is this a use case that is supposed to work? What could I be missing?
Thanks!
Kris