Recently seen a few people assume that authz-regexp search-based mappings
enforce that an entry is found or the Bind is failed, which is not the
case. Obviously the admin guide[0] should be adjusted not to cause more
confusion but the question remains:
Should we be able to decide whether an identity should be considered a
"user" (Bind succeeds)?
Right now, trusting certificates issued by a CA means *all* of them will
always be accepted if valid for Binding against the server. Similar with
other SASL mechanisms (kerberos, ...) but those tend to have another way
of setting up a policy that can be decided for a specific combination of
identity+server.
It mostly matters for internal ACL purposes, those clients have passed a
Bind and so are considered "users", complicating ACL design somewhat.
Accepting a SASL Bind for authorisation in external clients is of less
value, it can only give a yes/no answer where a more detailed answer is
usually needed anyway.
It might be possible to make the search-based mappings a policy point,
letting a mapping that triggered but failed to map to an entry become an
indication that the bind should be denied. This would be considerable
change for some deployments out there, while it might protect some that
(wrongly) assumed this to be the case already. Obviously "Direct
Mappings" would stay unaffected because they should be well understood
already[1].
[0]. https://www.openldap.org/doc/admin26/sasl.html#Search-based%20mappings
[1]. Admin guide for direct mappings already says "it allows mapping to
DNs which refer to entries not held by this server" in the first
paragraph
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
