Hello,

I have been working on extending an application that searches LDAP server with Kerberos support.  I can now bind and then search using the following mechanism:

- Simple Bind
- Simple Bind with TLS
- Kerberos Bind

I am having issues when I have Kerberos bind and TLS turned on.

I can see the the Kerberos ticket established, the SASL bind to the LDAP server complete, but the LDAP search failing as the message cannot be parsed by the server.

I use the following open source libraries:
- OpenLDAP
- Cyrus SASL
- OpenSSL
- Heimdal

In my debugging, I noticed that there are different writers that are installed in the chain.  I turned on debugging, and hence I see these writers called in the order listed:

- simple with TLS: sb_debug_write() -> tlso_sb_write() -> sb_debug_write() -> sb_stream_write()
- Kerberos Bind: sb_debug_write() -> sb_sasl_generic_write() -> sb_debug_write() -> sb_stream_write()
- Kerberos + TLS:  sb_debug_write() -> sb_sasl_generic_write() -> sb_debug_write() -> tlso_sb_write() -> sb_debug_write() -> sb_stream_write()


Is this a use case that is supposed to work? What could I be missing?

Thanks!
Kris