--On Thursday, July 27, 2023 5:23 PM +0100 Howard Chu <h...@symas.com> wrote:
Sean Gallagher wrote:
On 27/07/2023 5:57 pm, Ondřej Kuzník wrote:
I'm not sure what you're trying to achieve here. Why do you want to
distinguish different kinds of anonymous clients?
My clients are very asymmetric. Each has a particular job to do, and a
particular set of operations to perform on the database. I was trying to
restrict access for each client, to just what was needed for it to
perform it's task. Then if one client is compromised, damage can be
(more) contained.
As it stands, before a bind, all (IP) clients look the same (Apart from
the IP address) - and so all clients need "auth" access to all other
clients credentials.
That is all false. No auth privileges are needed to perform a SASL
EXTERNAL Bind.
That is not necessarily true. If you do a direct mapping, correct. If you
have an ldap URI that does an internal lookup as part of validating the
external bind, then auth is necessary on those attributes. This is noted
explicitly in the man page.
--Quanah
