No where does it say there that it sets the minimum SSF of connections.

Stating what it doesn't say is unhelpful.

My question is posed because of my misunderstanding of what is does say.

It says it specifies the minimum or maximum acceptable SSF. I.e., if you set the minimum SSF to 128, and an incoming connection only uses 56, then XYZ won't be usable.

The distinction between "minimum SSF" and "minimum acceptable SSF" is somewhat non-obvious, and still lost on me.

I've generally used this type of restriction more with ACLs, such as:

by dn.base="cn=xyz,dc=example,dc=com" sasl_ssf=56 read

There's no mention of 'sasl_ssf' in 'man slapd.conf'; Rather, only in 'man slapd.access'.

Where, it states:

sasl_ssf=<n> set the minimum required Security Strength Factor (ssf) needed to grant access

On the 'man slapd.conf' page,

minssf=<factor> property specifies the minimum acceptable security strength factor as an integer approximate to effective key length used for encryption

Again, the difference is completely unclear. Perhaps someone else might take a helpful stab at clarifying the diff?

In the context of my originally posted question, rephrased:

Why does *addition* of "maxssf=256" (the maximum acceptable security strength factor) to "sasl-secprops ..." cause the 'SASL SSF' reported "ldapwhoami -ZZ" to change from

SASL SSF: 56 --> SASL SSF: 0

?