Howard Chu hyc@symas.com writes:
Quanah Gibson-Mount wrote:
This allows users who bind to the server to read their person entry when their binding user id matches the user id in the people tree.
I guess that makes sense. What is an example "user" in this case, does that reside under the people tree, or the accounts tree?
Accounts (in the sense that that's where krb5principalname is, which I think is what you mean).
This was an experimental ACL for doing host based restrictions of user logins. It currently will never be used since this was never deployed. Still a cool idea though, I think. ;)
That would require your "host" attribute to use DN syntax. So presumably the user in this case is an nss_ldap proxy account...?
Yeah, we were planning on setting host attributes to DN syntax, although we never finished really specifying how that was all going to work.
Don't users just bind using account entries anyway? Isn't this the same as "by self read" ? Or you're saying that there can be multiple accounts with the same uid?
There aren't, so I think you're right.