quanah@zimbra.com writes:

access to userPassword by anonymous auth sasl_ssf=128 break by anonymous auth tls=128 by self read

(At this point, you've forced any user to be encrypted,

No, you've forced users who authenticate against userPassword to be encrypted. Not all SASL methods, nor auth with rootpw.

Also, repeating an old point, remember that the "security" keyword produces better error messages ("Confidentiality required") than "access ... ssf=..." ("Insufficient access" for updates, "Invalid credentials" for Bind). With the latter, the user likely thinks he mistyped the password and sends it again unencrypted.

Come to think of it, I guess I should insert that in the slapd.access(5) manpage.

so no need to duplicate the requirements on the read access).