Howard Chu <[EMAIL PROTECTED]> writes: > Quanah Gibson-Mount wrote:
>> This allows users who bind to the server to read their person entry when >> their binding user id matches the user id in the people tree. > I guess that makes sense. What is an example "user" in this case, does > that reside under the people tree, or the accounts tree? Accounts (in the sense that that's where krb5principalname is, which I think is what you mean). >> This was an experimental ACL for doing host based restrictions of user >> logins. It currently will never be used since this was never >> deployed. Still a cool idea though, I think. ;) > That would require your "host" attribute to use DN syntax. So presumably > the user in this case is an nss_ldap proxy account...? Yeah, we were planning on setting host attributes to DN syntax, although we never finished really specifying how that was all going to work. > Don't users just bind using account entries anyway? Isn't this the same > as "by self read" ? Or you're saying that there can be multiple accounts > with the same uid? There aren't, so I think you're right. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
