I have an application where I use SASL(Kerberos) to bind to ldap. In this case ldap_search_s function returns operation error when I use root as a base dn. In example if base_dn="DC=AD" and filter is (cn=administrator) ldap_search_s returns 1. ldap_search_s works as expected when I use the same filter with base_dn = "OU=OMD,DC=AD"(it works also with any other sub entry in the tree used as a base dn). I don't see the same issue when I use ldap_simple_bind_s function to bind to the server. Could you please help me understand what do I do wrong here ?
Here is a condensed answer based on our lengthly chat:
Your bind implementation seems sound though some subtree searches fail. Use Wireshark to see what is really happening. It is highly likely that you receive instead of a proper answer a referrer result. The API is probably set to follow and tries to perform. Since you performed a manual and not interactive bind, the subsequent internal bind is impcomplete and the resolution fails. You can either disable referral chasing and process the stuff manually or turn the connected port to 3268 and use the global catalog. That will give you a complete, read-only view of the forest. No referrals anymore.