Kurt Zeilenga wrote: > > On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote: > >> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <h...@symas.com> >> wrote: >> >>> Michael Ströder wrote: >>>> HI! >>>> >>>> I have some doubts about ACLs containing "by users" and the term >>>> "authenticated clients" used in the man pages: If I bind with >>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an >>>> authz-DN of a real directory entry what does "by users" then mean >>>> exactly? >>> >>> It means anyone who has successfully authenticated, by any means. >>> >>>> It seems that slapd grants access with clause "by users" but I feel this >>>> is wrong. I'd prefer if "users" would mean fully-identified clients >>>> mapped to a real entry. >>> >>> No. Such a restriction would prevent distributed authentication from ever >>> working. >> >> The downside of not being able to be able to specify authenticated DNs vs >> DNs that actually map to an entry in the database is that for some things >> (like SASL/GSSAPI setups) it makes the "users" value completely >> worthless, as any kerberos principal in the KDB that connects to the ldap >> servers is considered a "user". > > You confuse authentication with authorization. In this case, that > principal is certainly authenticated. It's just not authorized (in your > case). There certainly may be cases where such users are authorized to > some degree.
Kurt, it's not that simple: Off course there was an successful authentication in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally you're done for processing "by users". But the user is not really *identified* in terms of an entity represented by a directory entry and therefore the behaviour looks strange to me because no-one wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing semantics of "by users" to "identified clients" or having another key-word "by identifiedusers" with that semantics. The authorization step happens *after* identification based on the (optionally mapped) principal name. Ciao, Michael.
