Howard Chu wrote:
saslid - ignored unless you set usesasl. If you enable sasl without setting a saslid, it's possible for some arbitrary ID to be configured. But again, without a password, such a setting is usually useless. If you're using a mech like GSSAPI or EXTERNAL that doesn't use passwords, it may connect successfully, with that ID's privileges. Whether the ID can see the relevant info that pam/nss needs would determine what happens next.
The version of nss_ldap I'm looking at has GSSAPI hardcoded, so much of this is moot. You'll have to configure a credential cache, and ldap.conf can't provide that.
sasl_secprops - it would be possible to specify weaker props if this value is not set.
The worst you could do is turn off the security layer, which nss_ldap turns off by default anyway.