--On Friday, April 10, 2015 5:02 PM +0400 Poul Etto <zepouletto(a)gmail.com>
wrote:
Hi,
Thank you for answers...
Michael: We didn't know about it... We need such a structure as each of
our employees has an account but does not always have access to all our
services (and there really are many), so we prefered spliting everything
in different OUs.
That's very poor design.
Quanah: To be honest, we have no LDAP expert in our technical team,
so if
you have some time to explain how to set it up in a good way, we would be
very glad.
The most trivial way to do it is to create a AUX objectClass that has an
attribute that tracks which services an employee has access to, and then
simply configuring things to use that attribute when allowing access to a
system.
olcAttributeTypes: ( companyOID
NAME ( 'myCompanyServices' )
DESC 'services an employee has access to'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch)
olcObjectClasses: ( myCustomObject
NAME 'myCustomObject'
DESC 'Custom object for my company'
SUP top AUXILIARY
MAY (
myCompanyServices $
)
)
Then add that AUX OC onto any account.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration