(CCing the list) On 08/03/12 11:31 +0800, Qian Zhang wrote:
I am just wondering if there is a well-known rule for this use case, I'd like to follow the general acceptable way. So most of people think user1 should not log into the machine in this case, I will ingore gidNumber and only care about memberUid attribute.
Personally, I prefer to place authorization attributes within the user's dn, rather than to maintain groups for the same purpose, but I have done it both ways in the past. Using 'nssov-pam userhost [...]' would be a good way to do that. -- Dan White