--On Friday, April 02, 2010 9:30 PM +0200 Michael Ströder michael@stroeder.com wrote:
Kurt, it's not that simple: Off course there was an successful authentication in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a directory entry and therefore the behaviour looks strange to me because no-one wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing semantics of "by users" to "identified clients" or having another key-word "by identifiedusers" with that semantics.
The authorization step happens *after* identification based on the (optionally mapped) principal name.
We do this elsewhere. Perhaps usersz and usersc? (Similar to authc and authz?)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration