[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Howto implement RBAC with OU's and posixGroups

Fred van Zwieten wrote:

What I mean with "this" in "in AD this is possible" is the fact that you can
assign group membership to OU membership (When user A is member of OU B, user
A will become member of group C".

Afaik this is not possible with OpenLDAP. If it is, I would really like to
know how. My only bet is with dynamic groups/list, but I have no idea how.
It is possible, but it is stupid. An entry can only reside under a single parent, but in most organizations a user can occupy multiple roles. The approach you're pursuing is a dead end. 


Fred


2012/2/23 Buchan Milne <bgmilne@staff.telkomsa.net
<mailto:bgmilne@staff.telkomsa.net>>

    On Wednesday, 22 February 2012 11:22:55 Fred van Zwieten wrote:
     > Hi all,
     >
     > warning: openldap newbie..
     >
     > is it possible to have a person put into an OU and, because of this, will
     > become member of some group in such a way that this group shows up in linux
     > using "id". This to implement some form of RBAC. I found GroupofMembers,
     > but that has nothing to do with OU's. Also, it seems posixGroup and
     > groupOfMembers objecttypes are no longer allowed together because the are
     > both STRUCTURAL.

    Not in nis.schema, but in rfc2307bis.schema, posixGroup is not structural.

     > In AD this is possible.

    It is possible in OpenLDAP too. Just now with nis.schema. Most LDAP clients
    support rfc2307bis.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/