(CCing the list)
On 08/03/12 11:31 +0800, Qian Zhang wrote:
I am just wondering if there is a well-known rule for this use case,
I'd like to follow the general acceptable way. So most of people think
user1 should not log into the machine in this case, I will ingore
gidNumber and only care about memberUid attribute.
Personally, I prefer to place authorization attributes within the user's dn,
rather than to maintain groups for the same purpose, but I have done it
both ways in the past.
Using 'nssov-pam userhost [...]' would be a good way to do that.