[Date Prev][Date Next]
Re: (ITS#6487) Nssov pam_authz authorizedUserService
I like what this offers administrators but I have a comment about how you
handle "wildcards". They aren't wild at all, but "magic strings" with only
one possible meaning: all users/services with the single magic character
"*". If you have a defined user naming convention like i_whatever for
interns and c_whatever for contractors, it would be useful to be able to
either include or exclude such users from using certain services.
My patch at http://www.openldap.org/its/index.cgi?findid=6495 does this for
userhost and userservices attributes, and includes negation. Would you be
interested in working with me to expand this to support real wildcards?
Also I suggest you make this two patches, as the patch submission
guidelines clearly state that one patch for 1 feature, and the meaty parts
of this are obfuscated by increasing the buffer sizes which should probably
be in a separate patch.