On Apr 2, 2010, at 12:30 PM, Michael Ströder wrote:
Kurt Zeilenga wrote:
> On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
>> --On Thursday, April 01, 2010 12:58 PM -0700 Howard
Chu <hyc(a)symas.com> wrote:
>
>>> Michael Ströder wrote:
>>>> HI!
>>>
>>>> I have some doubts
about ACLs containing "by users" and the term
>>>> "authenticated clients" used in the man pages: If I bind with
>>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>>> authz-DN of a real directory entry what does "by users" then
mean
>>>> exactly?
>>
>>> It means anyone who
has successfully authenticated, by any means.
>>
>>>> It seems that
slapd grants access with clause "by users" but I feel this
>>>> is wrong. I'd prefer if "users" would mean fully-identified
clients
>>>> mapped to a real entry.
>>
>>> No. Such a restriction
would prevent distributed authentication from ever
>>> working.
>
>> The downside of not being able to be able to specify
authenticated DNs vs
>> DNs that actually map to an entry in the database is that for some things
>> (like SASL/GSSAPI setups) it makes the "users" value completely
>> worthless, as any kerberos principal in the KDB that connects to the ldap
>> servers is considered a "user".
> You confuse authentication with authorization. In this
case, that
> principal is certainly authenticated. It's just not authorized (in your
> case). There certainly may be cases where such users are authorized to
> some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs.
The user identity was verified. Whether they have an entry or not is not factor in
authentication (excepting to the extent that entry holds credential informaiton).
What you are saying is you want authenticated users with a directory entry to have
different authorization than authenticated users without a directory entry.
IIRC, if you want all authenticated users without a directory entry to be treated as
anonymous, you can perform a authzid mapping through an LDAP lookup and basically force
that behavior.
I'd prefer changing
semantics of "by users" to "identified clients" or having another
key-word "by
identifiedusers" with that semantics.
Clients are always identified (generally by IP address). But they are always
authenticated. Authentication is the step which verifies identity.
Users is defined as meaning "authenticated users", which is quite correct.
The authorization step happens *after* identification based on the
(optionally
mapped) principal name.
Actually, there's (at least) two different forms of authorization going on: Service
level authorization and Information access authorization.
access statements are about the latter.
One can control the former by having authorization mappings fail, by various require
statements, etc.
-- Kurt