[Date Prev][Date Next]
Re: Howto implement RBAC with OU's and posixGroups
Fred van Zwieten wrote:
I fail to see how this solves my RBAC need.
Let me give an example:
Say, personA is in ou DeptA. Then, ideally personA would based on being in
this ou, become member of group webserver
No, when I move personA to ou DeptB, this would mean that, on the next login,
it looses it's membership to group Webserver, but now becomes member of ie
This way, you implement security policies based on the role of a person.
This is not the right way to implement roles. Generally DNs are intended to be
constant (though obviously they are allowed to change, changes should be
How could this ideally be done with OpenLDAP?
2012/2/22 llg <email@example.com <mailto:firstname.lastname@example.org>>
persons should use inetOrgPerson and PosixAccount schemas : gidNumber
gives primary group.
Then define specific branch ou=posix based on PosixGroup schema and add
the uid of the person in memberUid multiple values attribute to specify
Le 22/02/2012 10:22, Fred van Zwieten a Ãcrit :
warning: openldap newbie..
is it possible to have a person put into an OU and, because of this,
will become member of some group in such a way that this group shows up
in linux using "id". This to implement some form of RBAC. I found
GroupofMembers, but that has nothing to do with OU's. Also, it seems
posixGroup and groupOfMembers objecttypes are no longer allowed together
because the are both STRUCTURAL.
In AD this is possible.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/