Trying to talk to AD via ldaps:// and -Y GSSAPI? Getting

sb_sasl_generic_pkt_length: received illegal packet length of 813957120 bytes

According to Microsofts Open Specification: 5.1.1.1.2 SASL Authentication:

While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer encryption/integrity verification mechanisms on such a connection.

Also passing -O "maxssf=0,minssf=0" to ldapsearch works for me.

See redhat:4661861, lp:#1015819, cyrus-sasl:#419, cyrus-sasl:#603.