I’d like to use openldap clients like ldapsearch with gssapi authentication against AD, but cyrus-sasl 2.1.25 is broken when using ldaps. Version 2.1.21 works and I have noticed that fedora 20 with 2.1.26 works again.
This following example authenticates the user and encrypts the traffic via the gssapi ( This works)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME “(samaccountname=mm)”
This should authenticate the user but not encrypt the traffic (This fails) 
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME “(samaccountname=mm)”
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME “(samaccountname=mm)”
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME “(samaccountname=mm)”
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
Applying the “fix” from Bug 3480 (https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480) make all 4 cases work, but I doubt it is the right think to do.
Can this be fixed in 12.3 and 13.1 please ? Otherwise I need to abandon OpenSuse which I used for many years now.:’(
Thank you
Markus