[Date Prev][Date Next]
Re: Documentation request
Howard Chu <firstname.lastname@example.org> writes:
> Quanah Gibson-Mount wrote:
>> This allows users who bind to the server to read their person entry when
>> their binding user id matches the user id in the people tree.
> I guess that makes sense. What is an example "user" in this case, does
> that reside under the people tree, or the accounts tree?
Accounts (in the sense that that's where krb5principalname is, which I
think is what you mean).
>> This was an experimental ACL for doing host based restrictions of user
>> logins. It currently will never be used since this was never
>> deployed. Still a cool idea though, I think. ;)
> That would require your "host" attribute to use DN syntax. So presumably
> the user in this case is an nss_ldap proxy account...?
Yeah, we were planning on setting host attributes to DN syntax, although
we never finished really specifying how that was all going to work.
> Don't users just bind using account entries anyway? Isn't this the same
> as "by self read" ? Or you're saying that there can be multiple accounts
> with the same uid?
There aren't, so I think you're right.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>