[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: by users in <WHO> field

> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <hyc@symas.com>
> wrote:
>> Michael Ströder wrote:
>>> HI!
>>> I have some doubts about ACLs containing "by users" and the term
>>> "authenticated clients" used in the man pages: If I bind with
>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>> authz-DN of a real directory entry what does "by users" then mean
>>> exactly?
>> It means anyone who has successfully authenticated, by any means.
>>> It seems that slapd grants access with clause "by users" but I feel
>>> this
>>> is wrong. I'd prefer if "users" would mean fully-identified clients
>>> mapped to a real entry.
>> No. Such a restriction would prevent distributed authentication from
>> ever
>> working.
> The downside of not being able to be able to specify authenticated DNs vs
> DNs that actually map to an entry in the database is that for some things
> (like SASL/GSSAPI setups) it makes the "users" value completely worthless,
> as any kerberos principal in the KDB that connects to the ldap servers is
> considered a "user". Thus I had to rework all my acls to avoid ever using
> the "users" concept when it would have been quite useful (and had to
> resort
> to sets instead).

What about

access to ...
    by dn.subtree="cn=auth" none
    by users read

This would blow away non-mapped users, and give mapped ones the desired