--On Friday, April 02, 2010 9:30 PM +0200 Michael Ströder
Kurt, it's not that simple: Off course there was an successful
authentication in case of SASL/EXTERNAL. Taking the term "authenticated
clients" literally you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented
by a directory entry and therefore the behaviour looks strange to me
because no-one wants to deal with SASL authc-DNs when designing ACLs. I'd
prefer changing semantics of "by users" to "identified clients" or
another key-word "by identifiedusers" with that semantics.
The authorization step happens *after* identification based on the
(optionally mapped) principal name.
We do this elsewhere. Perhaps usersz and usersc? (Similar to authc and
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration