Discussion:
by users in <WHO> field
Michael Ströder
2010-04-01 15:49:31 UTC
Permalink
HI!

I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL
(e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real
directory entry what does "by users" then mean exactly?

It seems that slapd grants access with clause "by users" but I feel this is
wrong. I'd prefer if "users" would mean fully-identified clients mapped to a
real entry.

I saw that slapd.access(5) also mentions "realusers" for the <WHO> field but
using this instead of "users" makes no difference.

Ciao, Michael.
Howard Chu
2010-04-01 19:58:19 UTC
Permalink
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with SASL/EXTERNAL
(e.g. over LDAPI) and the authc-DN does *not* map to an authz-DN of a real
directory entry what does "by users" then mean exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this is
wrong. I'd prefer if "users" would mean fully-identified clients mapped to a
real entry.
No. Such a restriction would prevent distributed authentication from ever working.
Post by Michael Ströder
I saw that slapd.access(5) also mentions "realusers" for the<WHO> field but
using this instead of "users" makes no difference.
Obviously that's not what it means. The "real" prefix specifies the real user
when proxy authorization is in effect.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Quanah Gibson-Mount
2010-04-01 22:22:47 UTC
Permalink
Post by Howard Chu
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely worthless,
as any kerberos principal in the KDB that connects to the ldap servers is
considered a "user". Thus I had to rework all my acls to avoid ever using
the "users" concept when it would have been quite useful (and had to resort
to sets instead).

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Howard Chu
2010-04-01 22:48:51 UTC
Permalink
Post by Quanah Gibson-Mount
Post by Howard Chu
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely worthless,
as any kerberos principal in the KDB that connects to the ldap servers is
considered a "user". Thus I had to rework all my acls to avoid ever using
the "users" concept when it would have been quite useful (and had to resort
to sets instead).
Nonsense. There's a clear difference between SASL DNs and "real" DNs - just
write an ACL to deny access to any SASL DN, then only your users that were
successfully mapped to real DNs will have access.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Kurt Zeilenga
2010-04-01 23:12:29 UTC
Permalink
Post by Howard Chu
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever working.
The downside of not being able to be able to specify authenticated DNs vs DNs that actually map to an entry in the database is that for some things (like SASL/GSSAPI setups) it makes the "users" value completely worthless, as any kerberos principal in the KDB that connects to the ldap servers is considered a "user".
You confuse authentication with authorization. In this case, that principal is certainly authenticated. It's just not authorized (in your case). There certainly may be cases where such users are authorized to some degree.
Thus I had to rework all my acls to avoid ever using the "users" concept when it would have been quite useful (and had to resort to sets instead).
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Michael Ströder
2010-04-02 19:30:07 UTC
Permalink
Post by Kurt Zeilenga
Post by Quanah Gibson-Mount
Post by Howard Chu
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely
worthless, as any kerberos principal in the KDB that connects to the ldap
servers is considered a "user".
You confuse authentication with authorization. In this case, that
principal is certainly authenticated. It's just not authorized (in your
case). There certainly may be cases where such users are authorized to
some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".

But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing
semantics of "by users" to "identified clients" or having another key-word "by
identifiedusers" with that semantics.

The authorization step happens *after* identification based on the (optionally
mapped) principal name.

Ciao, Michael.
Quanah Gibson-Mount
2010-04-02 19:46:37 UTC
Permalink
--On Friday, April 02, 2010 9:30 PM +0200 Michael Ströder
Post by Michael Ströder
Kurt, it's not that simple: Off course there was an successful
authentication in case of SASL/EXTERNAL. Taking the term "authenticated
clients" literally you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented
by a directory entry and therefore the behaviour looks strange to me
because no-one wants to deal with SASL authc-DNs when designing ACLs. I'd
prefer changing semantics of "by users" to "identified clients" or having
another key-word "by identifiedusers" with that semantics.
The authorization step happens *after* identification based on the
(optionally mapped) principal name.
We do this elsewhere. Perhaps usersz and usersc? (Similar to authc and
authz?)

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Kurt Zeilenga
2010-04-02 19:49:44 UTC
Permalink
Post by Michael Ströder
Post by Kurt Zeilenga
Post by Quanah Gibson-Mount
Post by Howard Chu
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely
worthless, as any kerberos principal in the KDB that connects to the ldap
servers is considered a "user".
You confuse authentication with authorization. In this case, that
principal is certainly authenticated. It's just not authorized (in your
case). There certainly may be cases where such users are authorized to
some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs.
The user identity was verified. Whether they have an entry or not is not factor in authentication (excepting to the extent that entry holds credential informaiton).

What you are saying is you want authenticated users with a directory entry to have different authorization than authenticated users without a directory entry.

IIRC, if you want all authenticated users without a directory entry to be treated as anonymous, you can perform a authzid mapping through an LDAP lookup and basically force that behavior.
Post by Michael Ströder
I'd prefer changing
semantics of "by users" to "identified clients" or having another key-word "by
identifiedusers" with that semantics.
Clients are always identified (generally by IP address). But they are always authenticated. Authentication is the step which verifies identity.

Users is defined as meaning "authenticated users", which is quite correct.
Post by Michael Ströder
The authorization step happens *after* identification based on the (optionally
mapped) principal name.
Actually, there's (at least) two different forms of authorization going on: Service level authorization and Information access authorization.

access statements are about the latter.

One can control the former by having authorization mappings fail, by various require statements, etc.

-- Kurt
Michael Ströder
2010-04-03 09:07:13 UTC
Permalink
Post by Kurt Zeilenga
IIRC, if you want all authenticated users without a directory entry to be
treated as anonymous, you can perform a authzid mapping through an LDAP
lookup and basically force that behavior.
Actually my slapd.conf contains a authz-regexp directive for that purpose. But
although there's no authz-DN found for the technical authc-DN the client is
treated as authenticated. Yes, this is described in slapd.conf(5) but IMO it's
wrong.

So I have to add the work-around <WHO> field Pierangelo suggested to all those
ACLs.

Ciao, Michael.
m***@aero.polimi.it
2010-04-03 13:22:41 UTC
Permalink
Post by Michael Ströder
Post by Kurt Zeilenga
IIRC, if you want all authenticated users without a directory entry to be
treated as anonymous, you can perform a authzid mapping through an LDAP
lookup and basically force that behavior.
Actually my slapd.conf contains a authz-regexp directive for that purpose. But
although there's no authz-DN found for the technical authc-DN the client is
treated as authenticated. Yes, this is described in slapd.conf(5) but IMO it's
wrong.
So I have to add the work-around <WHO> field Pierangelo suggested to all those
ACLs.
I wouldn't call that exactly a "workaround", since it does things the way
they are intended to be done. As many pointed out, "users" means
"authenticated", and they actually are. ACLs allow you to give specific
privileges based on the identity, and that's the way I'd use. Any way
that allows to tell, based on their DN, whether authenticated users
actually correspond to an in-directory entry, is good for the purpose.
Remember: it's your own rule that gives higher privileges to users with an
in-directory entry. In general, this cannot be considered a generally
valid rule, as it would basically prevent authenticated distributed
directory operations.

p.

Howard Chu
2010-04-02 21:52:14 UTC
Permalink
Post by Michael Ströder
Post by Kurt Zeilenga
Post by Quanah Gibson-Mount
Post by Howard Chu
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.
No. Such a restriction would prevent distributed authentication from ever working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely
worthless, as any kerberos principal in the KDB that connects to the ldap
servers is considered a "user".
You confuse authentication with authorization. In this case, that
principal is certainly authenticated. It's just not authorized (in your
case). There certainly may be cases where such users are authorized to
some degree.
Kurt, it's not that simple: Off course there was an successful authentication
in case of SASL/EXTERNAL. Taking the term "authenticated clients" literally
you're done for processing "by users".
But the user is not really *identified* in terms of an entity represented by a
directory entry and therefore the behaviour looks strange to me because no-one
wants to deal with SASL authc-DNs when designing ACLs. I'd prefer changing
semantics of "by users" to "identified clients" or having another key-word "by
identifiedusers" with that semantics.
That's completely wrong. "Authentication" is the process by which one party
asserts their identity to another party and provides proof of that assertion.
If the client has authenticated successfully, then they have, by definition,
identified themselves.
Post by Michael Ströder
The authorization step happens *after* identification based on the (optionally
mapped) principal name.
Yes of course. And if you want some certain authenticated clients to be
treated differently from other authenticated clients, that's your business.
That's exactly what ACLs are for.

As an aside, if your authentication system identifies a large proportion of
clients that you don't actually want to serve, it seems to me you're not using
the right authentication system, but that's totally a side issue.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
m***@aero.polimi.it
2010-04-01 23:13:21 UTC
Permalink
Post by Quanah Gibson-Mount
Post by Howard Chu
Post by Michael Ströder
HI!
I have some doubts about ACLs containing "by users" and the term
"authenticated clients" used in the man pages: If I bind with
SASL/EXTERNAL (e.g. over LDAPI) and the authc-DN does *not* map to an
authz-DN of a real directory entry what does "by users" then mean
exactly?
It means anyone who has successfully authenticated, by any means.
Post by Michael Ströder
It seems that slapd grants access with clause "by users" but I feel this
is wrong. I'd prefer if "users" would mean fully-identified clients
mapped to a real entry.
No. Such a restriction would prevent distributed authentication from
ever
working.
The downside of not being able to be able to specify authenticated DNs vs
DNs that actually map to an entry in the database is that for some things
(like SASL/GSSAPI setups) it makes the "users" value completely worthless,
as any kerberos principal in the KDB that connects to the ldap servers is
considered a "user". Thus I had to rework all my acls to avoid ever using
the "users" concept when it would have been quite useful (and had to resort
to sets instead).
What about

access to ...
by dn.subtree="cn=auth" none
by users read

This would blow away non-mapped users, and give mapped ones the desired
access

p.
Loading...