On Tue May 13 19:22:59 2025 +0000, Dmitry Timoshkov wrote:
I mean if the caller requested integrity and confidentiality (like your current code does) but server doesn't support them. I'd guess that NTLM doesn't support integrity (signing), and just using confidentiality (encryption) is sufficient in that case, and shouldn't be considered as an error.
I did some experiments and ISC_REQ_MUTUAL_AUTH is the key flag that makes LDAP over Kerberos work for my configuration, without it authentication instead of 2 uses 1 step, and apparently this makes the security context unusable.
I don't insist that the server attributes check should be fatal, emitting a warning would suffice I guess.
Hans, does adding only ISC_REQ_MUTUAL_AUTH work for your use case with NTLM?