On Tue, 1 Aug 2023 at 04:35, Ondřej Kuzník ondra@mistotebe.net wrote:
On Tue, Aug 01, 2023 at 09:09:43AM +1000, Sean Gallagher wrote:
- Finally, if the system admin wants to use the TLS layer authentication
state to subtly modify access rights, that is also allowed by the RFCs, BUT NOT BY SLAPD.
I find slapd's incapacity in the third case to be a bizarre inconsistency.
The ACL subsystem is extensible well beyond this and I find it bizarre that you keep ignoring that.
I created a dynacl a while back that does what I think Sean is looking for: use the SASL_AUTH_EXTERNAL property to allow auth access to userPassword. My original use case was to get rid of an IP whitelist and instead use TLS client auth to control what clients can perform a simple bind, but it can be used for pretty much any access you'd like.
I've attached a simplified version of that dynacl that does away with instance-specific checks.