[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: by users in <WHO> field



> Kurt Zeilenga wrote:
>> IIRC, if you want all authenticated users without a directory entry to
>> be
>> treated as anonymous, you can perform a authzid mapping through an LDAP
>> lookup and basically force that behavior.
>
> Actually my slapd.conf contains a authz-regexp directive for that purpose.
> But
> although there's no authz-DN found for the technical authc-DN the client
> is
> treated as authenticated. Yes, this is described in slapd.conf(5) but IMO
> it's
> wrong.
>
> So I have to add the work-around <WHO> field Pierangelo suggested to all
> those
> ACLs.

I wouldn't call that exactly a "workaround", since it does things the way
they are intended to be done.  As many pointed out, "users" means
"authenticated", and they actually are.  ACLs allow you to give specific
privileges based on the identity, and that's the way I'd use.  Any way
that allows to tell, based on their DN, whether authenticated users
actually correspond to an in-directory entry, is good for the purpose. 
Remember: it's your own rule that gives higher privileges to users with an
in-directory entry.  In general, this cannot be considered a generally
valid rule, as it would basically prevent authenticated distributed
directory operations.

p.