[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: by users in <WHO> field

Michael Ströder wrote:
Kurt Zeilenga wrote:

On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:

--On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu<hyc@symas.com>  wrote:

Michael Ströder wrote:

I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean

It means anyone who has successfully authenticated, by any means.

It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.

No. Such a restriction would prevent distributed authentication from ever

The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely
worthless, as any kerberos principal in the KDB that connects to the ldap
servers is considered a "user".

You confuse authentication with authorization.   In this case, that
principal is certainly authenticated.  It's just not authorized (in your
case).  There certainly may be cases where such users are authorized to
some degree.

Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".

But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing
semantics of "by users" to "identified clients" or having another key-word "by
identifiedusers" with that semantics.

That's completely wrong. "Authentication" is the process by which one party asserts their identity to another party and provides proof of that assertion. If the client has authenticated successfully, then they have, by definition, identified themselves.

The authorization step happens *after* identification based on the (optionally
mapped) principal name.

Yes of course. And if you want some certain authenticated clients to be treated differently from other authenticated clients, that's your business. That's exactly what ACLs are for.

As an aside, if your authentication system identifies a large proportion of clients that you don't actually want to serve, it seems to me you're not using the right authentication system, but that's totally a side issue.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/