[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: by users in <WHO> field

Michael Ströder wrote:

I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL
(e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real
directory entry what does "by users" then mean exactly?

It means anyone who has successfully authenticated, by any means.

It seems that slapd grants access with clause "by users" but I feel this is
wrong. I'd prefer if "users" would mean fully-identified clients mapped to a
real entry.

No. Such a restriction would prevent distributed authentication from ever working.

I saw that slapd.access(5) also mentions "realusers" for the<WHO>  field but
using this instead of "users" makes no difference.

Obviously that's not what it means. The "real" prefix specifies the real user when proxy authorization is in effect.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/