Hi folks,
I am trying to perform a SASL bind against Active Directory with GSSAPI mech. I wrote a very simple C client which should serve as a proof of concept. I read the man page about both methods [1] and decided to try ldap_sasl_bind_s first.
I saw that ldap_sasl_bind_s never sends a Kerberos token to the server (Wireshark capture). Then I tried ldap_sasl_interactive_bind_s as in ldapsearch after fiddler with interact and defaults, which is by the way not very helpful described in the man page, though [2] helped a lot. This one works flawlessly.
The difference between both is not really clear to me because we aren't going to use any interactive code. Our goal is to write attribute retrieval for headless libs.
A day after, I have downloaded the source tarball and saw that ldap_sasl_bind_s never calls sasl_client_start where ldap_sasl_interactive_bind_s actually does. Additionally, I have found gssapi.c with ldap_int_gss_spnego_bind_s and ldap_gssapi_bind_s where both init the GSS context and loop over the tokens with ldap_sasl_bind_s.
Does that ultimately mean that one should avoid ldap_sasl_bind_s altogether and work with ldap_sasl_interactive_bind_s regardless of the mech(s) used?
[1] http://www.openldap.org/software/man.cgi?query=ldap_sasl_bind_s&sektion=... [2] http://adam.younglogic.com/2012/02/exteranl-sasl/
Regards,
Michael