diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index a78833769f3531fb2625aa602e2cd08f420390c2..cef9f2c2d2b044f4a3fdf7a5a538ed3ae49ad66f 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -125,6 +125,18 @@ recommended that
 directives be used instead.
 .RE
 .TP
+.B disallow <features>
+Specify a set of features (separated by white space) to disallow.
+.B bind_v2
+disables acceptance of LDAPv2 bind requests.
+.B bind_anon
+disables acceptance of anonymous bind requests.
+.B bind_anon_cred
+disables anonymous bind creditials are not empty (e.g. when
+DN is empty).
+.B bind_anon_dn
+disables anonymous bind when DN is not empty.
+.TP
 .B idletimeout <integer>
 Specify the number of seconds to wait before forcibly closing
 an idle client connections.  A idletimeout of 0 disables this
@@ -229,6 +241,28 @@ Specify the referral to pass back when
 cannot find a local database to handle a request.
 If specified multiple times, each url is provided.
 .TP
+.B require <conditions>
+Specify a set of conditions (separated by white space) to require.
+The directive may be specified globally and/or per-database.
+.B bind
+requires bind operation prior to directory operations.
+.B LDAPv3
+requires session to be using LDAP version 3.
+.B authc
+requires authentication prior to directory operations.
+.B SASL
+requires SASL authentication prior to directory operations.
+.B strong
+requires strong authentication prior to directory operations.
+Currently
+.B SASL
+and
+.B strong
+conditions are currently same.
+.B none
+may be used to require no conditions (useful for clearly globally
+set conditions within a particular database).
+.TP
 .B sasl-realm <string>
 Used to specify Cyrus SASL realm.
 .TP
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index ca38d9f330b480bb3d487eb50bc0f3eddb15fd47..3cc017ca2f981bdfa3767e730199248912c8c30d 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -733,7 +733,7 @@ backend_check_restrictions(
 			if( op->o_authmech == NULL ||
 				op->o_dn == NULL || *op->o_dn == '\0' )
 			{
-				*text = "SASL authentication required";
+				*text = "strong authentication required";
 				return LDAP_STRONG_AUTH_REQUIRED;
 			}
 		}
diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 446104f6edade3a69d332a02eebe4ddd6ec0050e..1e2fdbc36b88b77729439344795a2ca377f27f71 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -251,6 +251,10 @@ do_bind(
 			conn->c_dn = edn;
 			conn->c_authmech = mech;
 			if( ssf ) conn->c_sasl_layers++;
+			conn->c_sasl_ssf = ssf;
+			if( ssf > conn->c_ssf ) {
+				conn->c_ssf = ssf;
+			}
 			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
 		} else if ( rc == LDAP_SASL_BIND_IN_PROGRESS ) {