Michael Ströder wrote:
HI!
I have some doubts about ACLs containing "by users" and the term "authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real directory entry what does "by users" then mean exactly?
It means anyone who has successfully authenticated, by any means.
It seems that slapd grants access with clause "by users" but I feel this is wrong. I'd prefer if "users" would mean fully-identified clients mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever working.
I saw that slapd.access(5) also mentions "realusers" for the<WHO> field but using this instead of "users" makes no difference.
Obviously that's not what it means. The "real" prefix specifies the real user when proxy authorization is in effect.