Re: [PATCH 0/3] MR8020: libs/ldap: Make GSS-SPNEGO SASL plugin work with LDAP server that uses Kerberos authentication.

On Wed May 14 12:43:25 2025 +0000, Hans Leidekker wrote:

Retrieving SSPI flags before binding returns ISC_REQ_EXTENDED_ERROR | ISC_REQ_MUTUAL_AUTH, so that seems to be the default. Retrieving the flags after successful Negotiate bind (which picks NTLM) I get ISC_REQ_INTEGRITY | ISC_REQ_EXTENDED_ERROR | ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT. I think we should use the same default and avoid any checks on returned flags.

Kerberos won't work without ISC_REQ_MUTUAL_AUTH, how should we decide when add it? Somehow detect NTLM/Kerberos?