Hello Quanah,

Thank you very much for your email. It worked for me (I passed GSSAPI as the string), dn as NULL and I could now see in the packet capture that an sasl bind request is being sent out using GSSAPI. Below is the snapshot.

Lightweight Directory Access Protocol
    LDAPMessage bindRequest(1) "<ROOT>" sasl
        messageID: 1
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name: 
                authentication: sasl (3)
                    sasl
                        mechanism: GSSAPI
                        credentials: 6d797077
                        GSS-API Generic Security Service Application Program Interface
                            Unknown header (class=1, pc=1, tag=13)   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Why unknown ?
                                [Expert Info (Warn/Protocol): Unknown header (class=1, pc=1, tag=13)]
                                    [Unknown header (class=1, pc=1, tag=13)]
                                    [Severity level: Warn]
                                    [Group: Protocol]

I was getting something like this above where there is a part of the packet shown as unknown header. I am suspecting that wireshark is not recognizing this or this is again a different problem. Look forward to your feedback.

regards,
Nishanth

On Mon, Jul 10, 2017 at 11:23 PM, Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Monday, July 10, 2017 9:02 PM +0530 Nishanth Nagendra <nishanth.amogh@gmail.com> wrote:

>From the openldap source code, I notice that sasl.c file has a constant
LDAP_SASL_SIMPLE as a constant for mechanism which is a NULL value. I
tried to pass a non NULL value in my function call to ldap_sasl_bind in
the third parameter expecting it to hit the other code path to initiate
SASL bind with credentials but the library does not seem to allow it and
returns error from sasl bind.

 As clearly noted in the source code comments, the third argument is the MECHANISM to use:

/*
* ldap_sasl_bind - bind to the ldap server (and X.500).
* The dn (usually NULL), mechanism, and credentials are provided.
* The message id of the request initiated is provided upon successful
* (LDAP_SUCCESS) return.
*
* Example:
*      ldap_sasl_bind( ld, NULL, "mechanism",
*              cred, NULL, NULL, &msgid )
*/


I.e., you would pass in "GSSAPI" for a SASl/GSSAPI bind, etc.

It is also generally better form to use ldap_sasl_interactive_bind_s, as noted in the man page.  In that case, as noted by the manual page:

      The mechs parameter should contain
      a  space-separated  list  of  candidate  mechanisms  to  use.  If this
      parameter   is   NULL   or   empty   the   library   will   query the
      supportedSASLMechanisms  attribute  from  the  server's rootDSE for the
      list of SASL  mechanisms  the  server  supports.



--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>