Re: by users in <WHO> field

[Kurt Zeilenga <Kurt@OpenLDAP.org>]

On Apr 2, 2010, at 12:30 PM, Michael Ströder wrote:

> Kurt Zeilenga wrote:
>> 
>> On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
>> 
>>> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <hyc@symas.com> wrote:
>>> 
>>>> Michael Ströder wrote:
>>>>> HI!
>>>>> 
>>>>> I have some doubts about ACLs containing "by users" and the term
>>>>> "authenticated clients" used in the man pages: If I bind with
>>>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>>>> authz-DN of a real directory entry what does "by users" then mean
>>>>> exactly?
>>>> 
>>>> It means anyone who has successfully authenticated, by any means.
>>>> 
>>>>> It seems that slapd grants access with clause "by users" but I feel this
>>>>> is wrong. I'd prefer if "users" would mean fully-identified clients
>>>>> mapped to a real entry.
>>>> 
>>>> No. Such a restriction would prevent distributed authentication from ever
>>>> working.
>>> 
>>> The downside of not being able to be able to specify authenticated DNs vs
>>> DNs that actually map to an entry in the database is that for some things
>>> (like SASL/GSSAPI setups) it makes the "users" value completely
>>> worthless, as any kerberos principal in the KDB that connects to the ldap
>>> servers is considered a "user".
>> 
>> You confuse authentication with authorization.   In this case, that
>> principal is certainly authenticated.  It's just not authorized (in your
>> case).  There certainly may be cases where such users are authorized to
>> some degree.
> 
> Kurt, it's not that simple: Off course there was an successful authentication
> in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
> you're done for processing "by users".
> 
> But the user is not really *identified* in terms of an entity represented by a
> directory entry and therefore the behaviour looks strange to me because no-one
> wants to deal with SASL authc-DNs when designing ACLs.

The user identity was verified.  Whether they have an entry or not is not factor in authentication (excepting to the extent that entry holds credential informaiton).

What you are saying is you want authenticated users with a directory entry to have different authorization than authenticated users without a directory entry.

IIRC, if you want all authenticated users without a directory entry to be treated as anonymous, you can perform a authzid mapping through an LDAP lookup and basically force that behavior.


> I'd prefer changing
> semantics of "by users" to "identified clients" or having another key-word "by
> identifiedusers" with that semantics.

Clients are always identified (generally by IP address).  But they are always authenticated.  Authentication is the step which verifies identity.

Users is defined as meaning "authenticated users", which is quite correct.

> The authorization step happens *after* identification based on the (optionally
> mapped) principal name.

Actually, there's (at least) two different forms of authorization going on:  Service level authorization and Information access authorization.

access statements are about the latter.

One can control the former by having authorization mappings fail, by various require statements, etc.

-- Kurt
>