*Hi Milan, I know RedHat's IPA server can do this, but that based on 389 Directory Server. Also, have a look here: http://www.mail-archive.com/[email protected]/msg06902.html
This guy succeeded, but with a combi of posixGroup and groupOfMembers. I'll try to see if I get you suggestion working, although I don't like to change the default schema too much. Ideally nss_ldap should give us more options in this regard. *Greetz, Fred <http://epsilon.eridani.nl> 2012/2/22 Ponjevic, Milan <[email protected]> > Hi Fred,**** > > ** ** > > Have you tried ‘hacking’ your schema, and change for example ‘STRUCTURAL’ > to ‘AUXILIARY’. In that case you would be able to specify both posixGroup > and groupOfMembers, or even use groupOfNames.**** > > ** ** > > Have a lok at this**** > > > http://serverfault.com/questions/224750/dn-based-linux-groups-from-ldap/226267#226267 > **** > > ** ** > > I am also struggling to understand what is the best way to implement this, > and I would really appreciate if somebody already done it, and can share > the idea.**** > > ** ** > > Regards**** > > ** ** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Fred van Zwieten > *Sent:* 22 February 2012 11:00 > *To:* [email protected] > *Subject:* Re: Howto implement RBAC with OU's and posixGroups**** > > ** ** > > Howard, > > So, what is the right way? Could you give me an example how to set this up > or give me a reference to a good source on this? > > Thank you! > > Greetz,**** > > ** ** > > Fred <http://epsilon.eridani.nl>**** > > > > **** > > 2012/2/22 Howard Chu <[email protected]>**** > > Fred van Zwieten wrote:**** > > Hi llg, > > I fail to see how this solves my RBAC need. > > Let me give an example: > > Say, personA is in ou DeptA. Then, ideally personA would based on being in > this ou, become member of group webserver > > No, when I move personA to ou DeptB, this would mean that, on the next > login, > it looses it's membership to group Webserver, but now becomes member of ie > group mailservers > > This way, you implement security policies based on the role of a person.** > ** > > ** ** > > This is not the right way to implement roles. Generally DNs are intended > to be constant (though obviously they are allowed to change, changes should > be infrequent).**** > > > How could this ideally be done with OpenLDAP? > > Greetz,**** > > Fred <http://epsilon.eridani.nl> > > > > 2012/2/22 llg <[email protected] <mailto:[email protected]>>**** > > > > Hi, > persons should use inetOrgPerson and PosixAccount schemas : > gidNumber > gives primary group. > > Then define specific branch ou=posix based on PosixGroup schema and add > the uid of the person in memberUid multiple values attribute to specify > secondary gid. > > Regards > Llg > > Le 22/02/2012 10:22, Fred van Zwieten a écrit :**** > > Hi all, > > warning: openldap newbie.. > > is it possible to have a person put into an OU and, because of this, > will become member of some group in such a way that this group shows up > in linux using "id". This to implement some form of RBAC. I found > GroupofMembers, but that has nothing to do with OU's. Also, it seems > posixGroup and groupOfMembers objecttypes are no longer allowed together > because the are both STRUCTURAL. > > In AD this is possible. > > Greetz,**** > > Fred <http://epsilon.eridani.nl>**** > > ** ** > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/**** > > ** ** >
