Sean Gallagher wrote:
On 27/07/2023 5:57 pm, Ondřej Kuzník wrote:
I'm not sure what you're trying to achieve here. Why do you want to distinguish different kinds of anonymous clients?
My clients are very asymmetric. Each has a particular job to do, and a particular set of operations to perform on the database. I was trying to restrict access for each client, to just what was needed for it to perform it's task. Then if one client is compromised, damage can be (more) contained.
As it stands, before a bind, all (IP) clients look the same (Apart from the IP address) - and so all clients need "auth" access to all other clients credentials.
That is all false. No auth privileges are needed to perform a SASL EXTERNAL Bind.
If any client is granted some pre-bind rights, all clients get those same rights. One compromised client makes all clients vulnerable. This is not necessary.
The exact same is true with what you've proposed.
slapd _knows_ the identity of each client, it's just a matter of exposing it to the ACL rules. It's not even without precedent, the sasl_ssf is exposed to the ACL rules before a bind, why not other properties of the sasl state?
Anyway, this is just a "nice to have" idea, the real-life effect this would have on security is pretty minimal. It's just frustrating when I have to weaken access controls to do things the "right" way..
All you're doing is inventing a new authentication mechanism instead of using one that already exists.