Howard,<br><br>So, what is the right way? Could you give me an example how to set this up or give me a reference to a good source on this?<br><br>Thank you!<br><br clear="all">Greetz,<div><br></div><div><font color="#333333" face="&#39;Trebuchet MS&#39;, Helvetica, Arial, sans-serif"><a href="http://epsilon.eridani.nl" target="_blank">Fred</a></font></div>
<br>
<br><br><div class="gmail_quote">2012/2/22 Howard Chu <span dir="ltr">&lt;<a href="mailto:hyc@symas.com">hyc@symas.com</a>&gt;</span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">Fred van Zwieten wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi llg,<br>
<br>
I fail to see how this solves my RBAC need.<br>
<br>
Let me give an example:<br>
<br>
Say, personA is in ou DeptA. Then, ideally personA would based on being in<br>
this ou, become member of group webserver<br>
<br>
No, when I move personA to ou DeptB, this would mean that, on the next login,<br>
it looses it&#39;s membership to group Webserver, but now becomes member of ie<br>
group mailservers<br>
<br>
This way, you implement security policies based on the role of a person.<br>
</blockquote>
<br></div>
This is not the right way to implement roles. Generally DNs are intended to be constant (though obviously they are allowed to change, changes should be infrequent).<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
How could this ideally be done with OpenLDAP?<br>
<br>
Greetz,<br>
<br></div>
Fred &lt;<a href="http://epsilon.eridani.nl" target="_blank">http://epsilon.eridani.nl</a>&gt;<br>
<br>
<br>
<br>
2012/2/22 llg &lt;<a href="mailto:llg@portaildulibre.fr" target="_blank">llg@portaildulibre.fr</a> &lt;mailto:<a href="mailto:llg@portaildulibre.fr" target="_blank">llg@portaildulibre.fr</a>&gt;<u></u>&gt;<div class="im">
<br>
<br>
    Hi,<br>
        persons should use inetOrgPerson and PosixAccount schemas : gidNumber<br>
    gives primary group.<br>
<br>
    Then define specific branch ou=posix based on PosixGroup schema and add<br>
    the uid of the person in memberUid multiple values attribute to specify<br>
    secondary gid.<br>
<br>
    Regards<br>
    Llg<br>
<br>
    Le 22/02/2012 10:22, Fred van Zwieten a écrit :<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
    Hi all,<br>
<br>
    warning: openldap newbie..<br>
<br>
    is it possible to have a person put into an OU and, because of this,<br>
    will become member of some group in such a way that this group shows up<br>
    in linux using &quot;id&quot;. This to implement some form of RBAC. I found<br>
    GroupofMembers, but that has nothing to do with OU&#39;s. Also, it seems<br>
    posixGroup and groupOfMembers objecttypes are no longer allowed together<br>
    because the are both STRUCTURAL.<br>
<br>
    In AD this is possible.<br>
<br>
    Greetz,<br>
<br></div>
    Fred &lt;<a href="http://epsilon.eridani.nl" target="_blank">http://epsilon.eridani.nl</a>&gt;<br>
<br>
</blockquote>
<br>
<br><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
-- <br>
  -- Howard Chu<br>
  CTO, Symas Corp.           <a href="http://www.symas.com" target="_blank">http://www.symas.com</a><br>
  Director, Highland Sun     <a href="http://highlandsun.com/hyc/" target="_blank">http://highlandsun.com/hyc/</a><br>
  Chief Architect, OpenLDAP  <a href="http://www.openldap.org/project/" target="_blank">http://www.openldap.org/<u></u>project/</a><br>
</font></span></blockquote></div><br>