Re: Basic ACL question...I think.

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Fri, Apr 16, 2010 at 12:58:21PM -0400, Ken Kleiner wrote:

> Hi,  Thanks for the reply.  I found that the pam ldap module does help, like using pam_groupdn to point to a group that contains (in memberuid) the people that I want to have access.  The problem with that is that
> the nss library still sees the entries as valid uids, which I don't want.  Is there a similar module config I could use for libnss?

Very unlikely. What you are tying to do seems to muddle the concepts of
authentication and authorisation so it may not be straightforward.

> What defines the entries is just a group that I put them into, i.e. I create a group called emailusers and create a memberuid entry in that group for each user that I want to be visible.

In that case you should be able to write ACLs that make members of
particular groups visible to the machines that need to know about them.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------