Thanks for the quick response.

I tried your suggestion like this:

        //GSSAPI and TLS fails to AD.  This was a suggestion for the workaround:


        sasl_ssf_t max_ssf = 0;

        ldrc = ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);

        if (ldrc != LDAP_SUCCESS) {

            logError("ldap_set_option() for LDAP_OPT_X_SASL_SSF_MAX failure: ldrc = %d", ldrc);



But with that change I can't bind any longer, I get a "Local error(-2)"

I get the same for Kerberos with no TLS with this setting.

Is the usecase of SASL authentication with Kerberos to the LDAP server and TLS to the LDAP server for all other communication a valid one?


On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite@olp.net> wrote:
On 10/06/14 13:24 -0500, Dan White wrote:
There is a known bug in Cyrus SASL which triggers this problem:


If adding "-O maxssf=0" to your ldapsearch command, when using both
Kerberos and TLS, works then that's likely the culprit.

Apparently I can't read my own bug reports. This may or may not be your

Dan White