Kurt Zeilenga wrote:
IIRC, if you want all authenticated users without a directory entry to be treated as anonymous, you can perform a authzid mapping through an LDAP lookup and basically force that behavior.
Actually my slapd.conf contains a authz-regexp directive for that purpose. But although there's no authz-DN found for the technical authc-DN the client is treated as authenticated. Yes, this is described in slapd.conf(5) but IMO it's wrong.
So I have to add the work-around <WHO> field Pierangelo suggested to all those ACLs.
I wouldn't call that exactly a "workaround", since it does things the way they are intended to be done. As many pointed out, "users" means "authenticated", and they actually are. ACLs allow you to give specific privileges based on the identity, and that's the way I'd use. Any way that allows to tell, based on their DN, whether authenticated users actually correspond to an in-directory entry, is good for the purpose. Remember: it's your own rule that gives higher privileges to users with an in-directory entry. In general, this cannot be considered a generally valid rule, as it would basically prevent authenticated distributed directory operations.