I have now tried:

security tls=128 sasl=128

It didn't work. All the commands below work without the 'security' option.

ldapsearch -x -ZZ -D "uid=openldap,dc=auth,dc=lubemobile,dc=com,dc=au" -w "$(ssu cat /etc/libnss-ldap.secret)" -b "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)" ldap_bind: Confidentiality required (13) additional info: SASL confidentiality required

Which, when I think about it may be reasonable. I am apparently saying I require a sasl ssf of 128, and obviously I don't have that. This was a surprise though:

ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)" ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: SASL confidentiality required

Is that a bug?

Anyway, bugs aside, assuming I now have some idea how it works its useless for my application. I want to insist that userPassword to be encrypted when sent and received, be that via CRAM-MD5 or friends or by using TLS, but clear text is fine for the rest of the information in the ldap database, and in fact anonymous connections unencrypted connections are the rule for VPN access. The 'security' option applies to all connections.

Anyway, to state the problem as clearly as I can, I can't see how to do the following combination of things:

. Allow anonymous access over unencrypted connections for the bulk of the database.

. Allow simple binds, but they must be over encrypted connections to protect userPassword.

. Allow sasl binds over unencrypted connections, but the must not use clear text.

. Not particularly relevant to me, but it would be nice to allow sasl binds using clear text if they are over an encrypted connection.

The patch does this of course, but if there is some other way then the patch is irrelevant, except perhaps from a usability point of view.