Recently seen a few people assume that authz-regexp search-based mappings enforce that an entry is found or the Bind is failed, which is not the case. Obviously the admin guide[0] should be adjusted not to cause more confusion but the question remains:

Should we be able to decide whether an identity should be considered a "user" (Bind succeeds)?

Right now, trusting certificates issued by a CA means *all* of them will always be accepted if valid for Binding against the server. Similar with other SASL mechanisms (kerberos, ...) but those tend to have another way of setting up a policy that can be decided for a specific combination of identity+server.

It mostly matters for internal ACL purposes, those clients have passed a Bind and so are considered "users", complicating ACL design somewhat. Accepting a SASL Bind for authorisation in external clients is of less value, it can only give a yes/no answer where a more detailed answer is usually needed anyway.

It might be possible to make the search-based mappings a policy point, letting a mapping that triggered but failed to map to an entry become an indication that the bind should be denied. This would be considerable change for some deployments out there, while it might protect some that (wrongly) assumed this to be the case already. Obviously "Direct Mappings" would stay unaffected because they should be well understood already[1].

[0]. https://www.openldap.org/doc/admin26/sasl.html#Search-based%20mappings [1]. Admin guide for direct mappings already says "it allows mapping to DNs which refer to entries not held by this server" in the first paragraph