[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Documentation request

Howard Chu <hyc@symas.com> writes:
> Quanah Gibson-Mount wrote:

>> This allows users who bind to the server to read their person entry when
>> their binding user id matches the user id in the people tree.

> I guess that makes sense. What is an example "user" in this case, does
> that reside under the people tree, or the accounts tree?

Accounts (in the sense that that's where krb5principalname is, which I
think is what you mean).

>> This was an experimental ACL for doing host based restrictions of user
>> logins.  It currently will never be used since this was never
>> deployed. Still a cool idea though, I think. ;)

> That would require your "host" attribute to use DN syntax. So presumably
> the user in this case is an nss_ldap proxy account...?

Yeah, we were planning on setting host attributes to DN syntax, although
we never finished really specifying how that was all going to work.

> Don't users just bind using account entries anyway? Isn't this the same
> as "by self read" ? Or you're saying that there can be multiple accounts
> with the same uid?

There aren't, so I think you're right.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>