--On Tuesday, April 18, 2023 4:43 PM +0200 Ondřej Kuzník
wrote:
Recently seen a few people assume that authz-regexp search-based mappings
enforce that an entry is found or the Bind is failed, which is not the
case. Obviously the admin guide[0] should be adjusted not to cause more
confusion but the question remains:
Should we be able to decide whether an identity should be considered a
"user" (Bind succeeds)?
I'm generally of the opinion that using "by users X" other than "by users
none" is a very bad idea and should be avoided, largely for the issues
above. A user is anything that had some sort of success in a BIND
operation, whether or not (particularly when dealing with SASL mechanisms)
it actually mapped to something in the database. It's only a small step
above "by anonymous X". There are valid reasons to allow a SASL bind that
doesn't actually map to something in the DB.
--Quanah