[Date Prev][Date Next]
Re: by users in <WHO> field
> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <email@example.com>
>> Michael StrÃ¶der wrote:
>>> I have some doubts about ACLs containing "by users" and the term
>>> "authenticated clients" used in the man pages: If I bind with
>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>> authz-DN of a real directory entry what does "by users" then mean
>> It means anyone who has successfully authenticated, by any means.
>>> It seems that slapd grants access with clause "by users" but I feel
>>> is wrong. I'd prefer if "users" would mean fully-identified clients
>>> mapped to a real entry.
>> No. Such a restriction would prevent distributed authentication from
> The downside of not being able to be able to specify authenticated DNs vs
> DNs that actually map to an entry in the database is that for some things
> (like SASL/GSSAPI setups) it makes the "users" value completely worthless,
> as any kerberos principal in the KDB that connects to the ldap servers is
> considered a "user". Thus I had to rework all my acls to avoid ever using
> the "users" concept when it would have been quite useful (and had to
> to sets instead).
access to ...
by dn.subtree="cn=auth" none
by users read
This would blow away non-mapped users, and give mapped ones the desired