[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: by users in <WHO> field



On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:

> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <hyc@symas.com> wrote:
> 
>> Michael Ströder wrote:
>>> HI!
>>> 
>>> I have some doubts about ACLs containing "by users" and the term
>>> "authenticated clients" used in the man pages: If I bind with
>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>> authz-DN of a real directory entry what does "by users" then mean
>>> exactly?
>> 
>> It means anyone who has successfully authenticated, by any means.
>> 
>>> It seems that slapd grants access with clause "by users" but I feel this
>>> is wrong. I'd prefer if "users" would mean fully-identified clients
>>> mapped to a real entry.
>> 
>> No. Such a restriction would prevent distributed authentication from ever
>> working.
> 
> The downside of not being able to be able to specify authenticated DNs vs DNs that actually map to an entry in the database is that for some things (like SASL/GSSAPI setups) it makes the "users" value completely worthless, as any kerberos principal in the KDB that connects to the ldap servers is considered a "user".

You confuse authentication with authorization.   In this case, that principal is certainly authenticated.  It's just not authorized (in your case).  There certainly may be cases where such users are authorized to some degree.

> Thus I had to rework all my acls to avoid ever using the "users" concept when it would have been quite useful (and had to resort to sets instead).
> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration