> I think the SASL debate actually evolves out of a deeper problem with the
> CLDAP draft itself:
>
> Is it a specification for running an LDAP session over UDP, or is it a
> specification for running LDAP queries in connectionless mode?
>
Both and none. In order to be able to use read with access-control you need,
as someone already pointed out, to be able to identify a session, defined by
a completed bind which does require something beyond what is provided in the
draft. For anonymous reads the situation is different.