[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Documentation request

To: Howard Chu <hyc@symas.com>
Subject: Re: Documentation request
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 20 Sep 2007 20:43:22 -0700
Cc: OpenLDAP Software List <openldap-software@openldap.org>
In-reply-to: <46F33B73.9080506@symas.com> (Howard Chu's message of "Thu, 20 Sep 2007 20:33:07 -0700")
Organization: The Eyrie
References: <1i4rd94.1euowalrp5vi2M%manu@netbsd.org> <46F2DAF6.1030307@OpenLDAP.org> <46F2DC43.3050709@symas.com> <46F2E38C.7010109@OpenLDAP.org> <87abrgx3ke.fsf_-_@windlord.stanford.edu> <46F31BB3.7030404@symas.com> <87ps0csss2.fsf@windlord.stanford.edu> <2572FD171FF164C9DAA5455C@[192.168.1.3]> <46F33B73.9080506@symas.com>
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

Howard Chu <hyc@symas.com> writes:
> Quanah Gibson-Mount wrote:

>> This allows users who bind to the server to read their person entry when
>> their binding user id matches the user id in the people tree.

> I guess that makes sense. What is an example "user" in this case, does
> that reside under the people tree, or the accounts tree?

Accounts (in the sense that that's where krb5principalname is, which I
think is what you mean).

>> This was an experimental ACL for doing host based restrictions of user
>> logins.  It currently will never be used since this was never
>> deployed. Still a cool idea though, I think. ;)

> That would require your "host" attribute to use DN syntax. So presumably
> the user in this case is an nss_ldap proxy account...?

Yeah, we were planning on setting host attributes to DN syntax, although
we never finished really specifying how that was all going to work.

> Don't users just bind using account entries anyway? Isn't this the same
> as "by self read" ? Or you're saying that there can be multiple accounts
> with the same uid?

There aren't, so I think you're right.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Follow-Ups:
- Re: Documentation request
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Re: cn=config example
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: cn=config example
  - From: Gavin Henry <ghenry@OpenLDAP.org>
- Re: cn=config example
  - From: Howard Chu <hyc@symas.com>
- Re: cn=config example
  - From: Gavin Henry <ghenry@OpenLDAP.org>
- Documentation request (was: Re: cn=config example)
  - From: Russ Allbery <rra@stanford.edu>
- Re: Documentation request
  - From: Howard Chu <hyc@symas.com>
- Re: Documentation request
  - From: Russ Allbery <rra@stanford.edu>
- Re: Documentation request
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Documentation request
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Documentation request
Next by Date: Re: cn=config example
Index(es):
- Chronological
- Thread