--On Tuesday, April 18, 2023 4:43 PM +0200 Ondřej Kuzník ondra@mistotebe.net wrote:
Recently seen a few people assume that authz-regexp search-based mappings enforce that an entry is found or the Bind is failed, which is not the case. Obviously the admin guide[0] should be adjusted not to cause more confusion but the question remains:
Should we be able to decide whether an identity should be considered a "user" (Bind succeeds)?
I'm generally of the opinion that using "by users X" other than "by users none" is a very bad idea and should be avoided, largely for the issues above. A user is anything that had some sort of success in a BIND operation, whether or not (particularly when dealing with SASL mechanisms) it actually mapped to something in the database. It's only a small step above "by anonymous X". There are valid reasons to allow a SASL bind that doesn't actually map to something in the DB.
--Quanah