Comment 2 for bug 621416

Thanks @James,

Yes, I tried. The problem, I think, is the algorithm (man pklocalauthority) : « First, the user of the Subject is determined and the groups that the user belongs are looked up. For each group identity, the authorization entries are consulted in order. (...) Finally, the authorization entries are consulted using the user identity in the same manner. (...) Note that processing continues even after a match. »

I thought I could ban all users (unix-user:*) and authorize a group (unix-group:hibersus). But I can not : it is the prohibition of all users that will be taken into account at the end of the process... The order (user/group) does not matter.

If someone has another idea ... I can test ;)

Thanks