Howard, So, what is the right way? Could you give me an example how to set this up or give me a reference to a good source on this?
Thank you! Greetz, Fred <http://epsilon.eridani.nl> 2012/2/22 Howard Chu <[email protected]> > Fred van Zwieten wrote: > >> Hi llg, >> >> I fail to see how this solves my RBAC need. >> >> Let me give an example: >> >> Say, personA is in ou DeptA. Then, ideally personA would based on being in >> this ou, become member of group webserver >> >> No, when I move personA to ou DeptB, this would mean that, on the next >> login, >> it looses it's membership to group Webserver, but now becomes member of ie >> group mailservers >> >> This way, you implement security policies based on the role of a person. >> > > This is not the right way to implement roles. Generally DNs are intended > to be constant (though obviously they are allowed to change, changes should > be infrequent). > >> >> How could this ideally be done with OpenLDAP? >> >> Greetz, >> >> Fred <http://epsilon.eridani.nl> >> >> >> >> 2012/2/22 llg <[email protected] <mailto:[email protected]>**> >> >> >> Hi, >> persons should use inetOrgPerson and PosixAccount schemas : >> gidNumber >> gives primary group. >> >> Then define specific branch ou=posix based on PosixGroup schema and add >> the uid of the person in memberUid multiple values attribute to specify >> secondary gid. >> >> Regards >> Llg >> >> Le 22/02/2012 10:22, Fred van Zwieten a écrit : >> >>> Hi all, >>> >>> warning: openldap newbie.. >>> >>> is it possible to have a person put into an OU and, because of this, >>> will become member of some group in such a way that this group shows >>> up >>> in linux using "id". This to implement some form of RBAC. I found >>> GroupofMembers, but that has nothing to do with OU's. Also, it seems >>> posixGroup and groupOfMembers objecttypes are no longer allowed >>> together >>> because the are both STRUCTURAL. >>> >>> In AD this is possible. >>> >>> Greetz, >>> >>> Fred <http://epsilon.eridani.nl> >>> >>> >> >> > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP > http://www.openldap.org/**project/<http://www.openldap.org/project/> >
