From ff58be2f36a986a9fc744231336dfccf4e9241d9 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Fri, 11 Apr 2025 16:44:07 +0200 Subject: [PATCH] ldap: Only switch into MS_KRB5 mode if responseToken exists If the server doesn't include a responseToken within negTokenResp, assume there won't be signing or sealing happening on the connection. Don't switch into MS_KRB5 mode. Closes #4275 --- src/analyzer/protocol/ldap/ldap.spicy | 5 +++-- .../krb.ldap.log | 11 +++++++++++ .../krb.ldap_search.log | 11 +++++++++++ .../ntlm.ldap.log | 12 ++++++++++++ .../ntlm.ldap_search.log | 11 +++++++++++ testing/btest/Traces/README | 5 ++++- testing/btest/Traces/ldap/aduser1-ntlm.pcap | Bin 0 -> 3159 bytes testing/btest/Traces/ldap/aduser1.pcap | Bin 0 -> 13575 bytes .../scripts/base/protocols/ldap/aduser1.zeek | 11 +++++++++++ 9 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log create mode 100644 testing/btest/Traces/ldap/aduser1-ntlm.pcap create mode 100644 testing/btest/Traces/ldap/aduser1.pcap create mode 100644 testing/btest/scripts/base/protocols/ldap/aduser1.zeek diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy index f448d71f0c..63379d9a83 100644 --- a/src/analyzer/protocol/ldap/ldap.spicy +++ b/src/analyzer/protocol/ldap/ldap.spicy @@ -423,6 +423,7 @@ type GSS_SPNEGO_Subsequent = unit { type GSS_SPNEGO_negTokenResp = unit { var accepted: bool; var supportedMech: ASN1::ASN1Message; + var responseToken: optional; # Parse the contained Sequence. seq: ASN1::ASN1Message(True) { @@ -433,7 +434,7 @@ type GSS_SPNEGO_negTokenResp = unit { } else if ( msg.application_id == 1 ) { self.supportedMech = msg; } else if ( msg.application_id == 2 ) { - # ignore responseToken + self.responseToken = msg.application_data; } else if ( msg.application_id == 3 ) { # ignore mechListMec } else { @@ -523,7 +524,7 @@ type BindResponse = unit(inout message: Message, ctx: Ctx&) { if ( $$?.negTokenResp ) { local token = $$.negTokenResp; if ( token.accepted && token?.supportedMechOid ) { - if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) { + if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 && token.responseToken ) { ctx.messageMode = MessageMode::MS_KRB5; } } diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log new file mode 100644 index 0000000000..740ca715e6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1440128865 3 bind SASL success - User1 GSS-SPNEGO +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log new file mode 100644 index 0000000000..76424d5afc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1319382063 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log new file mode 100644 index 0000000000..502d28b4f4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 success - User1 - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 success - User1 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log new file mode 100644 index 0000000000..a02df616d7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1673297393 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 6f9576cb71..ec244576a9 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -49,4 +49,7 @@ Trace Index/Sources: - tunnels/geneve-tagged-udp-packet.pcap Provided by Eldon Koyle Corelight for testing. - cdp-v1.pcap - From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures. \ No newline at end of file + From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures. +- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap + Provided by Mohan-Dhawan on #4275 + https://github.com/zeek/zeek/issues/4275 diff --git a/testing/btest/Traces/ldap/aduser1-ntlm.pcap b/testing/btest/Traces/ldap/aduser1-ntlm.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3498d7a3cba5402cdf3fa5743d5c85057ee2e7b7 GIT binary patch literal 3159 zcmds3Z){Ul6hHU%b}NM_`vY4vgOLR{adhwX?;CEi+VN*ww~^q`ScNrR8O74#+KE9R zWr(0cB8w!(D0VYO910@fP!tA=elQL-d@&e92p<-sGBD!XRM`IE)`07!D48G}x|R4^WTS)L_Pgiw|_+e_z3611tfk>OWos zHCa`C0|&3{z_z>l2HTkvdipdij!U9ViWW?0) zHRQnCH4w|HKTD{D&USX+@MK-NhUjPFxwmhBxmQC*Gy|c7v-AjAAmrCK06dD8s7>SK(RQGOA}3pHQ7bUn|=fOoONF;^tCl8dK`yNWCPBN;GE84&atZDfN1&itNp%Q%AKC8`F?W|qybT!m9Ei1=? zyV>P*8<~XWCGkTQ#Orq56LB^=eZFvKDB9%R;NQhJcmu&+<%5dtvlWxsq*`T@qF8J; zyGb!wO{#3^%B9jd`iLtWigtv9JD6Es$Wx%WapR^ow>J`9>5p;&%cli#=nl7sL-7)M z9#3b%qEzy1Sue3RZQp-$7+?|CT52|Uc_2>NSUQ-JjjEhb>mJHRX-6U(1DK5hk&W-Q zD78^G&hk=MQ#CP?%SSIF<+ZK}p~FEi?DGc2qut^^e*zJOP;{KhV&;K~q{UP|&s8iI z)h^2xi_M{`W`|<8h_ywj0Tb)9wO5k{SE9vDOcd~0o#bYXw{4x*_e>zvZW{ON*9nw< zN>EbnhSIyjnfa-d5`H@rv)y4en^i@2WaenIsFjMWsqAo+NM138frbeT7W3*+2B|LNR>RV64{*Y_uC(|N2-MTB@75$(v0 XT57d}vOupu{2?9UihO{%=K=l!B>FKB literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/ldap/aduser1.pcap b/testing/btest/Traces/ldap/aduser1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a1d1c5aa4a6ac259e0515ee8a23819ee90b0a135 GIT binary patch literal 13575 zcmeHtc{o&U`2U%4W^CElh=fXF8oL%-NV1y=f6%&xf;7PEJqghw88>2aai{^ZQE}S5W z8#2lTG~zINA3#)ySbvy+WB@SO#vyLfe2pRMPlzas8*(GD5g$TCfMGdGv0EGo(PVKq zVaM7=M}O`qBY6AeO15@NWRjLPf(OHuv`J(#d)LIo1XGY>838c{+JcR#nqOkXkpq7~ zF)j<{5~DB>V`qY_5|4sBlQck90ubLrfbsPQc$O*HVQx6g6j(?9r8h%(kWoB>#EM;+ zm+VDYx|e5gtM75Ci@ey)3E-F6W?bl&*pvMf(v58i$U3a|jwKT35^)3qz95(!RIrG= zfG7ZtQ5@X>k5?q}tEVibe-X#w@z`z(b5{VIW$yBf87)wxPF5?JC9fJ97VYIv4WNZm z{k>?RUd~I*b+rr(O~Zq!K2cOJ+M3X?NGeqHy*)DK&15Et9VpJ83$>{Wq& z;8;`8>|#PVyjpL%Ft@Soehtgssrz%R3v$iDqwXJ2<-5RgtlA#CHU zp-J-{w1(PtPHR|VZ=HOem;kJy{3+WSx_~u6Z?tEuHH?)Ycme;@HWfg!2D&j_CU)p; z%6<#=$+`u?jU9D1gK} zfO8^dhy{3r8DfsuAl8UIVuj$r-Q&;V5JhAKHbN6|1*04gJwzWI&j-CF7;ghOP@LdC z5)zDrA%2Jt=y?$1f59OA3j*O^pTUdpA!A=AsMyW{0`dhg3)?tDeyiDo8FC$$A-}gy zzK{tGS#~+wklz49&H@+}EX6`V9I^#=*aqHoj_scm%W25&?0X7VkX;xQ)QP1{hzHHa z^ydh(pFQh%Y%hw40_j1m1M@x;em=6rfx7yU{ycu7Y#rtu$wLGr9}Iwv+rE)B8V=gG zjVPymU&ySkuqp)hjT;JNiUEk=Phj6~0EQE{7+CiGU&X+*Z+@hZmrQ`RjU@?n!vrK9 zpu;v!Tk)Fjp|V6Yqon%za2&KF#}N+7IJ3Zb8XgniG%f+Y00Mjq1vs*YEx=qLz;^(29A!`- zaQi39QUY8b7mA6!oZc!T-YiQ}W>I$b2SM?(p8+%9VdHU`Zyw;i2TBvg5huxf ziD4McU$|(V0nnvj<~v)8t>^bZ&v_8Bm`I!?|F2&S5$E7oh`s)ZTb{boAWI6)X&h4M z9V-Q4J`QAVDWI4XJXlgd+;h8gg)~p+pG*q%o*2!1Tr>{> z^iC)RQX*RlAAl5gLB#U_@dqFtwsG%If4vt(RI`~75#;|BztTbs5n!APN<2+YtSscg z;|L7!BTytomLQ82qIf)#z~D!*mluZ{El%7{PRuCa-il=FU~Xnxq)Jw14wENOl_#!^^o?E94SzC{+ zqoqYQ)YH{9^f)yB)L|kX72m%k?+Aem9xM)};Veu<-VqS2aXURi8;t-pXL+7WbDeqW zGb$5Am3W9Q>~|Jw>;r-jUDwiy&SW~#9uiG}LJ?$;$QopIxGTX>L1&PslNI1a@j_{N zNiJ?NDHM&DLh%H`Dxst2edy?EG99g8K5YDbjQ=FPB03rdP}VZ30;J&?baXXJN8Ojd z@Zh(jDkwYmOP#1YQ_1)$so`0F==LU(rkG`>?y@b>(gvILklcFbhyrt?OvWEPA7&)9 zDI3M)js7icc~7rDmow9~<%a%2AVnClgi zp9CLU|1GQA&^T*^G-#G@KK-HK(`%~5oQ*Ta zD>#|Oh$a-Yp6PgU%#Lqc&9u0hbS+ukY4p(=%Bs3!CW-U1&SxuGFO8U`pkrFl&?nd} z+LiuMjwkm)`S;+wD=$Z$W^TX4tL^i?(&1y8f7*aJaf^4j!QMbez3H!eZ}ntOWjM@z z(|4=uMMIogz72CD8Wdrz%BvT{11Wv%`8 zmW~tJUp}d>J5sy-!PWr%?HbG46sDhEb!MGU;{e`sn)nwvpD!D(=P5m_H(RnGr1h3y zw=ey~9p6NSGvX;%qqpb` z$aoyGO_=JFW4bkD+Sx7Ep}6dbL_6`y)c$7{?<&g~v17Mnb;W`oDQ`n-sE4=e>9O^lT+D!-|V>H>*$AgGqF6%Jsj^ zr@zv>UMY7d*2L^HLidk-bg=A2!1r%uitX!hJ2di3eI5+&yw9t0o(* z!IRN=b=0_on(FRgn;!2uP?D08RCsNZ!E8^#bFZ?UG~Zk;y(M~LY80;S%<*daM#{3o zs|~I>mDn10+*4GtqFmf~c*HrVp`tvZ6BRmOFimh_vX#Y0={BWZs@sG*Wey#3>V6^LAyKf}aum7NqLFPK6@J@h_nfWri}hAWZ6$7#p1RO>ZvU`YeD>4i zbPaUoyP5mmz1AibAKNwG2>FQXu-SWZbajxVklcnYS?{g2uXEC=x{~eR(_J2>-RQir zW>_WHT4E=O5+3zt>YEGl+xE6;Y_+;{esJW#fzXuwS`Ump=9wSf>E@;;XW8IyRO|U* zfBxq)rHAM^4KQU<8|!j#a$u$+?Rjh8)%p5w#Bbc(QBrAhakcKJmT&^Uc=Y@3qItJg ztIWJ2x2bNJw`_O3g-X_!fGQ{R8c*MRDZ%q{_5D3{jeFFaOKNu?H~cY*76aUzvNXE&=I{%jrp$?cWZ7SGZRNvh3KM*a_jvXiDPKdoet zuPgd=ZA8)^ajkzj?2w2|9UWSGSNxGNe~D4iV92SX%`M{HgI5S3?x6#HkrvY&-`Sz=NeeKACILPRluxR8xF zz(Vws;y~og)^usSShnWHsrlvwK=UVI%;$GyYknVy`2$dniqb?d+eNT8&X&|@d>CTT zM2L=(2-29soIhw5bI`?^rR!?;LQc8s(^hY-ldIHW!A}1!i&In@aGDG0lDf+~NyaPl z79zIAuw@sHxb>u-UJqXgnD+~5t1DR8Xi)j29$1YI-SUd7pQZyk7<@E49UQ(Yyhm*T9VTm?~Qeeh6u`5JYrq;vJjg zamba>Ces6@(9--*i1luqhzLS>6-*~QC({Yf*g5Z%B09kvoLL2$8$63+&a=8?fRX-{Z8P1Cvd+Lxc_?zTyX?B3`^b^foQna^a=nJ&0-J%T>cdsy}Skj`CRc{3^*XrGT;q2w3J?>@q{!&mb4k53_$_J*2 zi0DM60%fuiBne+Ql`JCx>`Bt>08g&voy1rp!5Li4AZTPFCGD38t^z7JWdpk19V{p2eg?Zym1Cj zU77$EI9G86&YGUoDnFQfq-rur0-;S91WZ53)Wgm)yO?~T&qiI-+>V%i^GUvEqiOP_=h*A5j5wV;pHKVf9vNJ3 z+pyBYS?hSjx~sLuOB;U3$*Ie1JbKwBe1T`ysqe;nvMU-NnmG-R%wKF&eScGt!_I>T zkO$Xgb{G3AKS^~}unV|GnKMlK(oHYhvg-1!p38!*YlJ-geI7jhY9%0&{4rZZb>t4E z`h23Rs({y?K+Ed4gH8mVKjZG+$5T;nhO}p2v0{syXP=vNM7rYMH8vF<4OuxO5)oad zJp1m-sDED?sLFRdcNf+9u}r%xb>VppyD8rYB5M7W_L8U2ve}P2s5#$!(|Tgdr5hKd zWhH)Wxl(XmrB7vD*vUWFL`TVId$`Go3|C%qt8f)XepntlvIlkEX_;JgQ!!oXgQiP| zj7@=>~i;t10I)d%wOu(dV=V7wC7ovk+i=4YQ?x^~Rd>$<|7}nw=Xw1uxcTn5uK35>KN|_>->3H+V@>pqd zWaalAHqUGB2#%ha**Z;%Ci=2QNU$wzhP&6j^leAv`d)N|S)6!sdy#%bzv}DG()@RA zhN%*#>>6;+uL5u%gBADB>rT4u+xgJob#P?TAHsk2+_+!T9VtPObw9RHe0a{(R7{;-e=DQUg+NvwirU>5^tvW-e_a^LCQ6%T8XFY*bnEjq!1s-I7D^jY8{l<9FWM ziX-tpu^-glyKb&yO6(dX9_5?sTf*11-iw@d|3K+`V#AOAh)c?94du^1mx`F zwVs3sMHhx7%kN5RD*2pe8-4=6pyWvkMnh;(JW$PLrxx->7z8!SJ# z@LN=i*@9DtFIYMGZ;I&M;eFhoTuxP8M#yg4$LsQX zE#KYu%3ppb=1H7|$)fd^Z-$>=BEQt!yLHzUC)oj?%7t%lD?Bh0_})nPwC_$WA-(L- zNKMwctbowwMCrQeuLRC6JlVN$L7|%5qYNt-^;;%9UKtnq__f}3&6)XKOCxem|C+;# zYuBHCuIgf`d`IGoYRuOlS^4~nUzSDh&ae6^A=BSm$uP)^&{t1&B&>>)ET8Qm@+>|x z-1@F!guYxsw}o)a-IY-(J6tZF@FvHdSXdDq93`q-W}ErIYr}KJRZ6FGa}WBvC@)F; z^DmkZA3^ZGQCr)_u&B}nM3veL$3+5r10?M?og_3o8EvQatt;s|DspvMYP)Ss!)Szw zH^n`%UjgVul-%M%u;e) zfk-*S><(Ycqqv!8++RJefalKv{u{P&)6Nvy6fBm& zj|14UBkJ^%JF+js7vIMs#UHm}cC$G*b;U;}4@e zoy69RD2U0}YMvT^I7x{?7(?`*2oaVTmRd1O44rKpba81z6O&yXTXxJPa6d~7VxYtT zmV5owMgXhCaQ7JpA~&ZZ7+ot^bTOB{RjGrIp6>vsIGG_fr(%H90H|M^_DMMv#Sncb zLWG>Q3o|*r^@6=J^f-Uy@`N@;{`4FUjOBS;^4FsI#fov!N zkGixR^zo(>VnIHFGCx>>X@4LpU`3&5QXK6qt>BE`4UAaMUT;DtECu&k6bO+8$E@}O z#Q`laR1*{j=77sH*@+fMao~3<^*fdNol5;qrT(|3QrLVPOwME&{;03#kXa+~(X}@f z^J9tBl_nGl-7#nu?@gi_xC$_i~ zTfEKm?bt$VDoqTF4XW(ez+7%3)yTM8k{~<%hinEr+DL$C6G%=5P;;4n-3RVZ2WyN_ z@b`ywp(Gikh~Thrtl!4ckA9AT#}z_}5iqdy4sr&TyCq;<$`V+gR`O>DmbD-d?ofpz5F;@}l?f3+s7kM9BZfdka$+MMwJ+9~=a*Q3O8NU4v6mQVfCFqz zg#Zo@IKyNAI2=-7{fBUrnVp%RUsz0Nw7pLV^$#?}hZfAxIyx^=T8pGjGSmetx3zTi z^z=zuBwdmrS%)qTmn!_c#XKxDIx;Lc38zigM7f|)f$%tgTc4i-g**eD=m|Pn^WnM?JkB4*mR1Fg@FELP1Z&)xE~-HjhkCbSS50tCy)S8G+>3=P zck#cn3|XM}5KQk4Oey(8yfj>sB6ccL^b%*Tih90Z5?`2=IP?!VHadj zsTfG6sgHl4kKbBa=o->5y4uIE)Wl{<>%Xv6gb_27nk6PG}33$}{|KL&ke~3qYLoFRGJsmwJ-IMB3&p>y+p}wKMHd7vx>QVcj zc+{Sd$CXSyMnR);Kq%mWo)aO$8PK(I G1o?l2(4R^G literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ldap/aduser1.zeek b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek new file mode 100644 index 0000000000..fdafa692f6 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek @@ -0,0 +1,11 @@ +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1.pcap %INPUT +# @TEST-EXEC: mkdir krb && mv *.log krb +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT +# @TEST-EXEC: mkdir ntlm && mv *.log ntlm +# @TEST-EXEC: btest-diff krb/ldap.log +# @TEST-EXEC: btest-diff krb/ldap_search.log +# @TEST-EXEC: btest-diff ntlm/ldap.log +# @TEST-EXEC: btest-diff ntlm/ldap_search.log +# +# @TEST-DOC: Check two traces using different authentication mechanisms, but the same search request.