On 7/28/2023 7:32 AM, Howard Chu wrote:

Regardless. A session is either authenticated, meaning it has an identity associated to it, or it is anonymous, meaning it has no identity associated to it. You can't have both at once. If you want an identity to be associated to the session, you perform a Bind operation. End of story.

A TLS session that requires a client certificate is authenticated, whether or not there's a bind operation. The question is whether the ACL subsystem can make use of that existing authentication - whether the TLS-level authenticated identity is automatically made available at the LDAP layer.

-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris