[Date Prev][Date Next]
Re: Howto implement RBAC with OU's and posixGroups
Fred van Zwieten wrote:
What I mean with "this" in "in AD this is possible" is the fact that you can
assign group membership to OU membership (When user A is member of OU B, user
A will become member of group C".
Afaik this is not possible with OpenLDAP. If it is, I would really like to
know how. My only bet is with dynamic groups/list, but I have no idea how.
It is possible, but it is stupid. An entry can only reside under a single
parent, but in most organizations a user can occupy multiple roles. The
approach you're pursuing is a dead end.
2012/2/23 Buchan Milne <firstname.lastname@example.org
On Wednesday, 22 February 2012 11:22:55 Fred van Zwieten wrote:
> Hi all,
> warning: openldap newbie..
> is it possible to have a person put into an OU and, because of this, will
> become member of some group in such a way that this group shows up in linux
> using "id". This to implement some form of RBAC. I found GroupofMembers,
> but that has nothing to do with OU's. Also, it seems posixGroup and
> groupOfMembers objecttypes are no longer allowed together because the are
> both STRUCTURAL.
Not in nis.schema, but in rfc2307bis.schema, posixGroup is not structural.
> In AD this is possible.
It is possible in OpenLDAP too. Just now with nis.schema. Most LDAP clients
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/