Kurt, it's not that simple: Off course there was an successful
authentication in case of SASL/EXTERNAL. Taking the term "authenticated
clients" literally you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented
by a directory entry and therefore the behaviour looks strange to me
because no-one wants to deal with SASL authc-DNs when designing ACLs. I'd
prefer changing semantics of "by users" to "identified clients" or having
another key-word "by identifiedusers" with that semantics.
The authorization step happens *after* identification based on the
(optionally mapped) principal name.