by users in <WHO> field

HI!

I have some doubts about ACLs containing "by users" and the term "authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real directory entry what does "by users" then mean exactly?

It seems that slapd grants access with clause "by users" but I feel this is wrong. I'd prefer if "users" would mean fully-identified clients mapped to a real entry.

I saw that slapd.access(5) also mentions "realusers" for the <WHO> field but using this instead of "users" makes no difference.

Ciao, Michael.