Michael Ströder wrote:
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL
(e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real
directory entry what does "by users" then mean exactly?
It means anyone who has successfully authenticated, by any means.
It seems that slapd grants access with clause "by users"
but I feel this is
wrong. I'd prefer if "users" would mean fully-identified clients mapped to
No. Such a restriction would prevent distributed authentication from ever working.
I saw that slapd.access(5) also mentions "realusers" for the<WHO> field
using this instead of "users" makes no difference.
Obviously that's not what it means. The "real" prefix specifies the real
when proxy authorization is in effect.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/