Re: SASL Binds and meaning of "users"

2023-04-19 Thread Quanah Gibson-Mount




--On Tuesday, April 18, 2023 4:43 PM +0200 Ondřej Kuzník 
 wrote:



Recently seen a few people assume that authz-regexp search-based mappings
enforce that an entry is found or the Bind is failed, which is not the
case. Obviously the admin guide[0] should be adjusted not to cause more
confusion but the question remains:

Should we be able to decide whether an identity should be considered a
"user" (Bind succeeds)?


I'm generally of the opinion that using "by users X" other than "by users 
none" is a very bad idea and should be avoided, largely for the issues 
above.  A user is anything that had some sort of success in a BIND 
operation, whether or not (particularly when dealing with SASL mechanisms) 
it actually mapped to something in the database.  It's only a small step 
above "by anonymous X".  There are valid reasons to allow a SASL bind that 
doesn't actually map to something in the DB.


--Quanah



Re: SASL Binds and meaning of "users"

2023-04-18 Thread Jordan Brown
Always remember that authentication and authorization are different
things.  Many more entities might be able to authenticate than are
authorized to take any particular action.

-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris