--On Friday, April 10, 2015 5:02 PM +0400 Poul Etto zepouletto@gmail.com wrote:
Hi,
Thank you for answers...
Michael: We didn't know about it... We need such a structure as each of our employees has an account but does not always have access to all our services (and there really are many), so we prefered spliting everything in different OUs.
That's very poor design.
Quanah: To be honest, we have no LDAP expert in our technical team, so if you have some time to explain how to set it up in a good way, we would be very glad.
The most trivial way to do it is to create a AUX objectClass that has an attribute that tracks which services an employee has access to, and then simply configuring things to use that attribute when allowing access to a system.
olcAttributeTypes: ( companyOID NAME ( 'myCompanyServices' ) DESC 'services an employee has access to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch)
olcObjectClasses: ( myCustomObject NAME 'myCustomObject' DESC 'Custom object for my company' SUP top AUXILIARY MAY ( myCompanyServices $ ) )
Then add that AUX OC onto any account.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration