I have locked down my server to disallow anonymous binds and set the SSF=128.   I also have SaslSecProps: noplain,noanonymous,minssf=128

Which all seems to work fine for my usage with one exception.   If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:

additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak

Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?


Thanks,
-- 
Frank