--On Thursday, April 13, 2023 10:31 AM +0200 Stefan Kania stefan@kania-online.de wrote:
Because the SSF of GSSAPI is hard coded to be 56. With MIT kerberos they eventually fixed this, but it's still not fixed in Heimdal (last I checked, but haven't checked the status of that bug report in a while). Once that is fixed, then cyrus-sasl has to be fixed to pull in the real SSF, which so far has not been done. Then OpenLDAP could report the 'real' SSF of the SASL bind.
Thank you for this information. I'm using Debian 11 with MIT-Kerberos. The installed Debian version is 1.18.3-6+deb11u3 so still 56 :-( But now I know :-)
MIT kerberos added the logic in MIT 1.16, so your version has it. But as I noted, cyrus-sasl does not have the logic to make use of it. ;)
The heimdal issue is https://github.com/heimdal/heimdal/issues/400
--Quanah