abartlet@samba.org wrote:

Samba4 always uses SASL credentials these days (trying to avoid simple binds).

libsasldb2.so is not required for a SASL bind with password-based mechanism. You can store the passwords in attribute userPassword (in clear-text). So the security consideration is more about password storage than SASL vs. simple bind on the wire.

Perhaps it's time to investigate EXTERNAL

That would be good anyway since in Samba4 the result of standard provision is LDAPI access anyway. So you could directly map the Unix user smbd is running as (root?) with authz-regexp to directory user samba-admin. Well, we already discussed that.. ;-)

Ciao, Michael.