Created attachment 12518 [details]
If a client successfully binds to the LDAP server using SASL GSSAPI and then attempts to bind again using the same connection, the server reports error:
SASL:[GSSAPI]: Sign or Seal are required.
This error is misleading as the server is refusing to renegotiate the security context over already existing encrypted channel. Examining the relevant segment of code, a small reorganization will obtain the right error code. Patch attached.
Once patched, server signals:
SASL:[GSSAPI]: Sign or Seal are not allowed if SASL encryption has already been set up