In one sense you are correct: the userPassword read
by slap_auxprop_lookup will never be revealed. And
so yes, the ssf for the results of that search would
But what I want to check is the weakest link in the
chain. I can't imagine any instance when that isn't
what you would want to check, so that is what the
ssf should reflect. By definition, the
slap_auxprop_lookup can never be the weakest link.
The weakest link in this case when sasl sent the
password to slapd. Really, what I want to say is if
the password was sent in the clear, whether it be by
sasl or simple auth, then the link must be encrypted.
The patch makes the information required to do that
Using ACLs to enforce this requirement is the wrong approach though. You
should just use the "security" directive instead. With your approach you're
missing the fact that SASL may not have sent any password at all to slapd
(e.g., when using DIGEST-MD5 or an OTP mechanism). As such, you're imposing a
constraint that makes no sense.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/