Quanah Gibson-Mount wrote:
--On Thursday, July 27, 2023 5:23 PM +0100 Howard Chu hyc@symas.com wrote:
Sean Gallagher wrote:
On 27/07/2023 5:57 pm, Ondřej Kuzník wrote:
I'm not sure what you're trying to achieve here. Why do you want to distinguish different kinds of anonymous clients?
My clients are very asymmetric. Each has a particular job to do, and a particular set of operations to perform on the database. I was trying to restrict access for each client, to just what was needed for it to perform it's task. Then if one client is compromised, damage can be (more) contained.
As it stands, before a bind, all (IP) clients look the same (Apart from the IP address) - and so all clients need "auth" access to all other clients credentials.
That is all false. No auth privileges are needed to perform a SASL EXTERNAL Bind.
That is not necessarily true. If you do a direct mapping, correct. If you have an ldap URI that does an internal lookup as part of validating the external bind, then auth is necessary on those attributes. This is noted explicitly in the man page.
Wrong. In a SASL EXTERNAL Bind there are no failure conditions, the entire point is that the presence of the session means it was already validated. Failure to map the SASL authc identity doesn't invalidate it, it just means the original identity is used as-is. Regardless, the Bind succeeds unconditionally.