https://bugs.openldap.org/show_bug.cgi?id=9256
--- Comment #2 from Karl O. Pinc kop@karlpinc.com --- (In reply to Howard Chu from comment #1)
(In reply to Karl O. Pinc from comment #0)
E.g. knowing that (objectClass=*) is the default filter, and that there's _always_ _some_ filter,
This is fundamental to LDAP. Everyone administering slapd should already know this.
That's as may be, but someone doing their first installation may not have it in their mind or be immediately aware of all the implications. It is easy to forget; ldapsearch does not require a filter be specified.
Regardless, the authorization required for SASL binding is seemingly unrelated to that required for simple binding. Simple binding does not require authorization to the entry pseudo-attribute or the objectClass attribute, even though some sort of search/lookup must be done internally. Anyone trying to configure authorization for SASL binding based on their experience with simple binding will be mislead, even if only doing direct DN mapping.
Being explicit about SASL authorization requirements goes a long way toward reducing the effort involved in setting up SASL.