Quoting masarati@aero.polimi.it:
ldap_url_parse_ext(ldap://ldapks.example.com:389) =>ldap_back_getconn: conn=1001 op=3: lc=0x960e6f8 inserted refcnt=1 rc=0 ldap_sasl_bind
^^^ this call shouldn't be here; on the contrary, this should result in calling ldap_sasl_interactive_bind_s() from within back-ldap's ldap_back_proxy_authz_bind(). I have no clue about why this is happening since I've never tested this with GSSAPI (and I can't do it now). However I've tested it with other SASL mechs (including DIGEST-MD5 and EXTERNAL) and it worked as expected.
Then I suppose it's a good thing I ran into it. ;-)
As I said, I have no clue.
Shall I file a bug report?
Yes, if you like. Hopefully someone can test your scenario with GSSAPI.
If so, I would prefer to do it via Debian's bug reporting system, since that's what I'm using
If you use Debian's bug reporting, you implicitly assume Debian maintainers will address the issue. If you want OpenLDAP developers to address it, you need to use OpenLDAP's tracker.
p.