In one sense you are correct: the userPassword read
by slap_auxprop_lookup will never be revealed. And
so yes, the ssf for the results of that search would
be infinity.
But what I want to check is the weakest link in the
chain. I can't imagine any instance when that isn't
what you would want to check, so that is what the
ssf should reflect. By definition, the
slap_auxprop_lookup can never be the weakest link.
The weakest link in this case when sasl sent the
password to slapd. Really, what I want to say is if
the password was sent in the clear, whether it be by
sasl or simple auth, then the link must be encrypted.
The patch makes the information required to do that
test available.