[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: by users in <WHO> field



Kurt Zeilenga wrote:
> 
> On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
> 
>> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <hyc@symas.com> wrote:
>>
>>> Michael Ströder wrote:
>>>> HI!
>>>>
>>>> I have some doubts about ACLs containing "by users" and the term
>>>> "authenticated clients" used in the man pages: If I bind with
>>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>>> authz-DN of a real directory entry what does "by users" then mean
>>>> exactly?
>>>
>>> It means anyone who has successfully authenticated, by any means.
>>>
>>>> It seems that slapd grants access with clause "by users" but I feel this
>>>> is wrong. I'd prefer if "users" would mean fully-identified clients
>>>> mapped to a real entry.
>>>
>>> No. Such a restriction would prevent distributed authentication from ever
>>> working.
>>
>> The downside of not being able to be able to specify authenticated DNs vs
>> DNs that actually map to an entry in the database is that for some things
>> (like SASL/GSSAPI setups) it makes the "users" value completely
>> worthless, as any kerberos principal in the KDB that connects to the ldap
>> servers is considered a "user".
> 
> You confuse authentication with authorization.   In this case, that
> principal is certainly authenticated.  It's just not authorized (in your
> case).  There certainly may be cases where such users are authorized to
> some degree.

Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".

But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing
semantics of "by users" to "identified clients" or having another key-word "by
identifiedusers" with that semantics.

The authorization step happens *after* identification based on the (optionally
mapped) principal name.

Ciao, Michael.