I can confirm that this bug is still present in the most recent versions of OpenLDAP and SASL. Johnny Westerlund's statement is correct but the tip isn't.
Here is the deal: https://msdn.microsoft.com/en-us/library/cc223500.aspx Active Directory does not support GSS-API integrity/confidentiality over TLS encrypted sockets. Unfortumately, you cannot disable integrity in SASL. It is enabled by default. maxssf=0 does not work and gives you: ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Here is the code in question: https://github.com/michael-o/cyrus- sasl/blob/master/plugins/gssapi.c#L1586-L1596 FWIT: This fails on RHEL, FreeBSD and HP-UX, it fails everywhere with MIT Kerberos. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1015819 Title: sb_sasl_generic_pkt_length: received illegal packet length when using ldapsearch and sasl with ssl or tls To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
