Re: (ITS#5195) ssf not available during sasl bind

[russell-openldap@stuart.id.au]

I have now tried:

  security tls=128 sasl=128

It didn't work.  All the commands below work without
the 'security' option.

  ldapsearch -x -ZZ -D "uid=openldap,dc=auth,dc=lubemobile,dc=com,dc=au" -w "$(ssu cat /etc/libnss-ldap.secret)" -b "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)"
  ldap_bind: Confidentiality required (13)
        additional info: SASL confidentiality required

Which, when I think about it may be reasonable.  I am
apparently saying I require a sasl ssf of 128, and
obviously I don't have that.  This was a surprise
though:

  ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)"
  ldap_sasl_interactive_bind_s: Confidentiality required (13)
        additional info: SASL confidentiality required

Is that a bug?

Anyway, bugs aside, assuming I now have some idea how it 
works its useless for my application.  I want to insist 
that userPassword to be encrypted when sent and received, 
be that via CRAM-MD5 or friends or by using TLS, but clear 
text is fine for the rest of the information in the ldap 
database, and in fact anonymous connections unencrypted 
connections are the rule for VPN access.  The 'security' 
option applies to all connections.

Anyway, to state the problem as clearly as I can, I can't
see how to do the following combination of things:

  . Allow anonymous access over unencrypted connections
    for the bulk of the database.

  . Allow simple binds, but they must be over encrypted
    connections to protect userPassword.
   
  . Allow sasl binds over unencrypted connections, but
    the must not use clear text.

  . Not particularly relevant to me, but it would be
    nice to allow sasl binds using clear text if they
    are over an encrypted connection.

The patch does this of course, but if there is some other
way then the patch is irrelevant, except perhaps from a
usability point of view.