[Date Prev][Date Next]
Re: by users in <WHO> field
Kurt Zeilenga wrote:
> On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
>> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <email@example.com> wrote:
>>> Michael Ströder wrote:
>>>> I have some doubts about ACLs containing "by users" and the term
>>>> "authenticated clients" used in the man pages: If I bind with
>>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>>> authz-DN of a real directory entry what does "by users" then mean
>>> It means anyone who has successfully authenticated, by any means.
>>>> It seems that slapd grants access with clause "by users" but I feel this
>>>> is wrong. I'd prefer if "users" would mean fully-identified clients
>>>> mapped to a real entry.
>>> No. Such a restriction would prevent distributed authentication from ever
>> The downside of not being able to be able to specify authenticated DNs vs
>> DNs that actually map to an entry in the database is that for some things
>> (like SASL/GSSAPI setups) it makes the "users" value completely
>> worthless, as any kerberos principal in the KDB that connects to the ldap
>> servers is considered a "user".
> You confuse authentication with authorization. In this case, that
> principal is certainly authenticated. It's just not authorized (in your
> case). There certainly may be cases where such users are authorized to
> some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing
semantics of "by users" to "identified clients" or having another key-word "by
identifiedusers" with that semantics.
The authorization step happens *after* identification based on the (optionally
mapped) principal name.