russell-openldap@stuart.id.au wrote:
In one sense you are correct: the userPassword read by slap_auxprop_lookup will never be revealed. And so yes, the ssf for the results of that search would be infinity.
But what I want to check is the weakest link in the chain. I can't imagine any instance when that isn't what you would want to check, so that is what the ssf should reflect. By definition, the slap_auxprop_lookup can never be the weakest link. The weakest link in this case when sasl sent the password to slapd. Really, what I want to say is if the password was sent in the clear, whether it be by sasl or simple auth, then the link must be encrypted.
The patch makes the information required to do that test available.
Using ACLs to enforce this requirement is the wrong approach though. You should just use the "security" directive instead. With your approach you're missing the fact that SASL may not have sent any password at all to slapd (e.g., when using DIGEST-MD5 or an OTP mechanism). As such, you're imposing a constraint that makes no sense.