You can use bind rules to specify that binding can only occur based on a specific level of Security Strength Factor (SSF) enforced on the established connection. A connection's SSF is based on the key strength of the cipher enforced on the connection and pertains only to TLS/SSL or DIGEST-MD5/GSSAPI confidentiality or integrity connections.
The LDIF syntax for setting a bind rule based on the Security Strength Factor is shown here:
ssf operator "strength"
where operator can be one of the following symbols:
= (equal to)
!= (not equal to)
> (greater than)
>= (greater than or equal to)
< (less than)
<= less than or equal to
The strength is a value representing the cipher key strength required on the connection and is a value (1 to 1024). DIGEST-MD5/GSSAPI connections with integrity enforced have an SSF of 1. TLS/SSL and DIGEST-MD5/GSSAPI confidentiality connections can have variable values of SSF based on the cipher negotiation performed between the directory server and client. The higher a connection's negotiated SSF is, the stronger the encryption is on the connection, as shown in these examples:
ssf = "1"; is true for access if integrity ssf = 1 only is enforced on the connection.
ssf != "40"; is true for access if ssf not equal 40 is enforced on the connection.
ssf > "128"; is true for access if ssf greater than 128 is enforced on the connection.
ssf >= "128"; is true for access if ssf greater than or equal 128 is enforced on the connection.
ssf < "56"; is true for access if ssf less than 56 is enforced on the connection.
Clear connections have an SSF of 0.