From 4f2216869e39f0c919511a06ccb792ca8e544f6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Thu, 16 May 2019 13:37:52 -0400
Subject: [PATCH] add note about guest users

---
 tsa/howto/create-a-new-user.mdwn | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tsa/howto/create-a-new-user.mdwn b/tsa/howto/create-a-new-user.mdwn
index 81a22a13..9e033b21 100644
--- a/tsa/howto/create-a-new-user.mdwn
+++ b/tsa/howto/create-a-new-user.mdwn
@@ -82,6 +82,14 @@ LDAP write access.
      * the email forward is likely to be incorrect if the key has
        multiple email address as UIDs
 
+     * if the user is a "guest" (ie. it needs to have access only to a
+       subset of machines), you should use the `-g` flag to
+       `ud-useradd`. this will put the user in the `guest` group. it
+       will also prompt for a list of allowed machines (which can be
+       left empty) and an expiry date for the account (which can be
+       set to zero to disable). then the group can be changed with
+       `ldapvi`.
+
   2. synchronize the change:
   
           sudo -u sshdist ud-generate && sudo -H ud-replicate
-- 
GitLab