> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <h...@symas.com>
> wrote:
>
>> Michael Ströder wrote:
>>> HI!
>>>
>>> I have some doubts about ACLs containing "by users" and the term
>>> "authenticated clients" used in the man pages: If I bind with
>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>> authz-DN of a real directory entry what does "by users" then mean
>>> exactly?
>>
>> It means anyone who has successfully authenticated, by any means.
>>
>>> It seems that slapd grants access with clause "by users" but I feel
>>> this
>>> is wrong. I'd prefer if "users" would mean fully-identified clients
>>> mapped to a real entry.
>>
>> No. Such a restriction would prevent distributed authentication from
>> ever
>> working.
>
> The downside of not being able to be able to specify authenticated DNs vs
> DNs that actually map to an entry in the database is that for some things
> (like SASL/GSSAPI setups) it makes the "users" value completely worthless,
> as any kerberos principal in the KDB that connects to the ldap servers is
> considered a "user". Thus I had to rework all my acls to avoid ever using
> the "users" concept when it would have been quite useful (and had to
> resort
> to sets instead).
What about
access to ...
by dn.subtree="cn=auth" none
by users read
This would blow away non-mapped users, and give mapped ones the desired
access
p.
