Re: by users in <WHO> field

Kurt, it's not that simple: Off course there was an successful authentication in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally you're done for processing "by users". But the user is not really *identified* in terms of an entity represented by a directory entry and therefore the behaviour looks strange to me because no-one wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing semantics of "by users" to "identified clients" or having another key-word "by identifiedusers" with that semantics. The authorization step happens *after* identification based on the (optionally mapped) principal name.