[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: by users in <WHO> field



Quanah Gibson-Mount wrote:
--On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu<hyc@symas.com>
wrote:

Michael Ströder wrote:
HI!

I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?

It means anyone who has successfully authenticated, by any means.

It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.

No. Such a restriction would prevent distributed authentication from ever
working.

The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely worthless,
as any kerberos principal in the KDB that connects to the ldap servers is
considered a "user". Thus I had to rework all my acls to avoid ever using
the "users" concept when it would have been quite useful (and had to resort
to sets instead).

Nonsense. There's a clear difference between SASL DNs and "real" DNs - just write an ACL to deny access to any SASL DN, then only your users that were successfully mapped to real DNs will have access.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/