After the SASL "GSSAPI" method has authenticated gss_wrap is called
with some data to be used with ldap_sasl_bind_s. This data is 1)
a confidentiality and integrity bitmask, 2) the maximum buffer size
accepted by the client, and 3) the "authorization identity".

What is the "authorization identity"? Is it a UPN or ...?

Also, RFC 2222 and others claim the data must be padded to a multiple of
8 but I don't see that padding using ldapsearch with cyrus-sasl. Is
there supposed to be padding or not?


Michael B Allen
PHP Active Directory SSO
Kerberos mailing list Kerberos@mit.edu