[Fedora-directory-users] SASL authentication

[David Boreham]

One thing to observe here is that _generally_ one does not
want to reveal more information to a potential attacker than is
necessary. In this case it may be useful for a bad guy to know
that there is no plaintext password vs. only knowing that
authentication failed. Put another way : attempts to authenticate
generally result in a binary succeed/fail result (excepting
perhaps cases like 'your password has expired, which is only
returned when an old but valid password is presented).