8:49 a.m.
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL
(e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real
directory entry what does "by users" then mean exactly?
It seems that slapd grants access with clause "by users" but I feel this is
wrong. I'd prefer if "users" would mean fully-identified clients mapped to
a
real entry.
I saw that slapd.access(5) also mentions "realusers" for the <WHO> field
but
using this instead of "users" makes no difference.
Ciao, Michael.
12:58 p.m.
Michael Ströder wrote:
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL
(e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real
directory entry what does "by users" then mean exactly?
It means anyone who has successfully authenticated, by any means.
It seems that slapd grants access with clause "by users"
but I feel this is
wrong. I'd prefer if "users" would mean fully-identified clients mapped to
a
real entry.
No. Such a restriction would prevent distributed authentication from ever working.
I saw that slapd.access(5) also mentions "realusers" for the<WHO> field
but
using this instead of "users" makes no difference.
Obviously that's not what it means. The "real" prefix specifies the real
user
when proxy authorization is in effect.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:22 p.m.
--On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <hyc(a)symas.com>
wrote:
Michael Ströder wrote:
> HI!
>
> I have some doubts about ACLs containing "by users" and the term
> "authenticated clients" used in the man pages: If I bind with
> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
> authz-DN of a real directory entry what does "by users" then mean
> exactly?
It means anyone who has successfully authenticated, by any means.
> It seems that slapd grants access with clause "by users" but I feel this
> is wrong. I'd prefer if "users" would mean fully-identified clients
> mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever
working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely worthless,
as any kerberos principal in the KDB that connects to the ldap servers is
considered a "user". Thus I had to rework all my acls to avoid ever using
the "users" concept when it would have been quite useful (and had to resort
to sets instead).
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
3:48 p.m.
Quanah Gibson-Mount wrote:
--On Thursday, April 01, 2010 12:58 PM -0700 Howard
Chu<hyc(a)symas.com>
wrote:
> Michael Ströder wrote:
>> HI!
>>
>> I have some doubts about ACLs containing "by users" and the term
>> "authenticated clients" used in the man pages: If I bind with
>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>> authz-DN of a real directory entry what does "by users" then mean
>> exactly?
>
> It means anyone who has successfully authenticated, by any means.
>
>> It seems that slapd grants access with clause "by users" but I feel
this
>> is wrong. I'd prefer if "users" would mean fully-identified
clients
>> mapped to a real entry.
>
> No. Such a restriction would prevent distributed authentication from ever
> working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely worthless,
as any kerberos principal in the KDB that connects to the ldap servers is
considered a "user". Thus I had to rework all my acls to avoid ever using
the "users" concept when it would have been quite useful (and had to resort
to sets instead).
Nonsense. There's a clear difference between SASL DNs and "real" DNs - just
write an ACL to deny access to any SASL DN, then only your users that were
successfully mapped to real DNs will have access.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:12 p.m.
On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
--On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu
<hyc(a)symas.com> wrote:
> Michael Ströder wrote:
>> HI!
>>
>> I have some doubts about ACLs containing "by users" and the term
>> "authenticated clients" used in the man pages: If I bind with
>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>> authz-DN of a real directory entry what does "by users" then mean
>> exactly?
>
> It means anyone who has successfully authenticated, by any means.
>
>> It seems that slapd grants access with clause "by users" but I feel
this
>> is wrong. I'd prefer if "users" would mean fully-identified
clients
>> mapped to a real entry.
>
> No. Such a restriction would prevent distributed authentication from ever
> working.
The downside of not being able to be able to specify authenticated DNs vs DNs that
actually map to an entry in the database is that for some things (like SASL/GSSAPI setups)
it makes the "users" value completely worthless, as any kerberos principal in
the KDB that connects to the ldap servers is considered a "user".
You confuse authentication with authorization. In this case, that principal is certainly
authenticated. It's just not authorized (in your case). There certainly may be cases
where such users are authorized to some degree.
Thus I had to rework all my acls to avoid ever using the
"users" concept when it would have been quite useful (and had to resort to sets
instead).
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
12:30 p.m.
Kurt Zeilenga wrote:
On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu <hyc(a)symas.com> wrote:
>
>> Michael Ströder wrote:
>>> HI!
>>>
>>> I have some doubts about ACLs containing "by users" and the term
>>> "authenticated clients" used in the man pages: If I bind with
>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>> authz-DN of a real directory entry what does "by users" then mean
>>> exactly?
>>
>> It means anyone who has successfully authenticated, by any means.
>>
>>> It seems that slapd grants access with clause "by users" but I feel
this
>>> is wrong. I'd prefer if "users" would mean fully-identified
clients
>>> mapped to a real entry.
>>
>> No. Such a restriction would prevent distributed authentication from ever
>> working.
>
> The downside of not being able to be able to specify authenticated DNs vs
> DNs that actually map to an entry in the database is that for some things
> (like SASL/GSSAPI setups) it makes the "users" value completely
> worthless, as any kerberos principal in the KDB that connects to the ldap
> servers is considered a "user".
You confuse authentication with authorization. In this case, that
principal is certainly authenticated. It's just not authorized (in your
case). There certainly may be cases where such users are authorized to
some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing
semantics of "by users" to "identified clients" or having another
key-word "by
identifiedusers" with that semantics.
The authorization step happens *after* identification based on the (optionally
mapped) principal name.
Ciao, Michael.
12:46 p.m.
--On Friday, April 02, 2010 9:30 PM +0200 Michael Ströder
<michael(a)stroeder.com> wrote:
Kurt, it's not that simple: Off course there was an successful
authentication in case of SASL/EXTERNAL. Taking the term "authenticated
clients" literally you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented
by a directory entry and therefore the behaviour looks strange to me
because no-one wants to deal with SASL authc-DNs when designing ACLs. I'd
prefer changing semantics of "by users" to "identified clients" or
having
another key-word "by identifiedusers" with that semantics.
The authorization step happens *after* identification based on the
(optionally mapped) principal name.
We do this elsewhere. Perhaps usersz and usersc? (Similar to authc and
authz?)
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
12:49 p.m.
On Apr 2, 2010, at 12:30 PM, Michael Ströder wrote:
Kurt Zeilenga wrote:
> On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
>> --On Thursday, April 01, 2010 12:58 PM -0700 Howard
Chu <hyc(a)symas.com> wrote:
> >>> Michael Ströder wrote:
>>>> HI!
>>> >>>> I have some doubts
about ACLs containing "by users" and the term
>>>> "authenticated clients" used in the man pages: If I bind with
>>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>>> authz-DN of a real directory entry what does "by users" then
mean
>>>> exactly?
>> >>> It means anyone who
has successfully authenticated, by any means.
>> >>>> It seems that
slapd grants access with clause "by users" but I feel this
>>>> is wrong. I'd prefer if "users" would mean fully-identified
clients
>>>> mapped to a real entry.
>> >>> No. Such a restriction
would prevent distributed authentication from ever
>>> working.
> >> The downside of not being able to be able to specify
authenticated DNs vs
>> DNs that actually map to an entry in the database is that for some things
>> (like SASL/GSSAPI setups) it makes the "users" value completely
>> worthless, as any kerberos principal in the KDB that connects to the ldap
>> servers is considered a "user".
> You confuse authentication with authorization. In this
case, that
> principal is certainly authenticated. It's just not authorized (in your
> case). There certainly may be cases where such users are authorized to
> some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs.
The user identity was verified. Whether they have an entry or not is not factor in
authentication (excepting to the extent that entry holds credential informaiton).
What you are saying is you want authenticated users with a directory entry to have
different authorization than authenticated users without a directory entry.
IIRC, if you want all authenticated users without a directory entry to be treated as
anonymous, you can perform a authzid mapping through an LDAP lookup and basically force
that behavior.
I'd prefer changing
semantics of "by users" to "identified clients" or having another
key-word "by
identifiedusers" with that semantics.
Clients are always identified (generally by IP address). But they are always
authenticated. Authentication is the step which verifies identity.
Users is defined as meaning "authenticated users", which is quite correct.
The authorization step happens *after* identification based on the
(optionally
mapped) principal name.
Actually, there's (at least) two different forms of authorization going on: Service
level authorization and Information access authorization.
access statements are about the latter.
One can control the former by having authorization mappings fail, by various require
statements, etc.
-- Kurt
2:07 a.m.
Kurt Zeilenga wrote:
IIRC, if you want all authenticated users without a directory entry
to be
treated as anonymous, you can perform a authzid mapping through an LDAP
lookup and basically force that behavior.
Actually my slapd.conf contains a authz-regexp directive for that purpose. But
although there's no authz-DN found for the technical authc-DN the client is
treated as authenticated. Yes, this is described in slapd.conf(5) but IMO it's
wrong.
So I have to add the work-around <WHO> field Pierangelo suggested to all those
ACLs.
Ciao, Michael.
6:22 a.m.
Kurt Zeilenga wrote:
> IIRC, if you want all authenticated users without a directory entry to
> be
> treated as anonymous, you can perform a authzid mapping through an LDAP
> lookup and basically force that behavior.
Actually my slapd.conf contains a authz-regexp directive for that purpose.
But
although there's no authz-DN found for the technical authc-DN the client
is
treated as authenticated. Yes, this is described in slapd.conf(5) but IMO
it's
wrong.
So I have to add the work-around <WHO> field Pierangelo suggested to all
those
ACLs.
I wouldn't call that exactly a "workaround", since it does things the way
they are intended to be done. As many pointed out, "users" means
"authenticated", and they actually are. ACLs allow you to give specific
privileges based on the identity, and that's the way I'd use. Any way
that allows to tell, based on their DN, whether authenticated users
actually correspond to an in-directory entry, is good for the purpose.
Remember: it's your own rule that gives higher privileges to users with an
in-directory entry. In general, this cannot be considered a generally
valid rule, as it would basically prevent authenticated distributed
directory operations.
p.
2:52 p.m.
Michael Ströder wrote:
Kurt Zeilenga wrote:
>
> On Apr 1, 2010, at 3:22 PM, Quanah Gibson-Mount wrote:
>
>> --On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu<hyc(a)symas.com>
wrote:
>>
>>> Michael Ströder wrote:
>>>> HI!
>>>>
>>>> I have some doubts about ACLs containing "by users" and the
term
>>>> "authenticated clients" used in the man pages: If I bind with
>>>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>>>> authz-DN of a real directory entry what does "by users" then
mean
>>>> exactly?
>>>
>>> It means anyone who has successfully authenticated, by any means.
>>>
>>>> It seems that slapd grants access with clause "by users" but I
feel this
>>>> is wrong. I'd prefer if "users" would mean fully-identified
clients
>>>> mapped to a real entry.
>>>
>>> No. Such a restriction would prevent distributed authentication from ever
>>> working.
>>
>> The downside of not being able to be able to specify authenticated DNs vs
>> DNs that actually map to an entry in the database is that for some things
>> (like SASL/GSSAPI setups) it makes the "users" value completely
>> worthless, as any kerberos principal in the KDB that connects to the ldap
>> servers is considered a "user".
>
> You confuse authentication with authorization. In this case, that
> principal is certainly authenticated. It's just not authorized (in your
> case). There certainly may be cases where such users are authorized to
> some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing
semantics of "by users" to "identified clients" or having another
key-word "by
identifiedusers" with that semantics.
That's completely wrong. "Authentication" is the process by which one party
asserts their identity to another party and provides proof of that assertion.
If the client has authenticated successfully, then they have, by definition,
identified themselves.
The authorization step happens *after* identification based on the
(optionally
mapped) principal name.
Yes of course. And if you want some certain authenticated clients to be
treated differently from other authenticated clients, that's your business.
That's exactly what ACLs are for.
As an aside, if your authentication system identifies a large proportion of
clients that you don't actually want to serve, it seems to me you're not using
the right authentication system, but that's totally a side issue.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:13 p.m.
--On Thursday, April 01, 2010 12:58 PM -0700 Howard Chu
<hyc(a)symas.com>
wrote:
> Michael Ströder wrote:
>> HI!
>>
>> I have some doubts about ACLs containing "by users" and the term
>> "authenticated clients" used in the man pages: If I bind with
>> SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
>> authz-DN of a real directory entry what does "by users" then mean
>> exactly?
>
> It means anyone who has successfully authenticated, by any means.
>
>> It seems that slapd grants access with clause "by users" but I feel
>> this
>> is wrong. I'd prefer if "users" would mean fully-identified
clients
>> mapped to a real entry.
>
> No. Such a restriction would prevent distributed authentication from
> ever
> working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely worthless,
as any kerberos principal in the KDB that connects to the ldap servers is
considered a "user". Thus I had to rework all my acls to avoid ever using
the "users" concept when it would have been quite useful (and had to
resort
to sets instead).
What about
access to ...
by dn.subtree="cn=auth" none
by users read
This would blow away non-mapped users, and give mapped ones the desired
access
p.
4998
days inactive
5000
days old
openldap-software@openldap.org
11 comments
5 participants
participants (5)
-
Howard Chu -
Kurt Zeilenga -
masarati@aero.polimi.it -
Michael Ströder -
Quanah Gibson-Mount