Hi Milan,

I know RedHat's IPA server can do this, but that based on 389 Directory Server. Also, have a look here: http://www.mail-archive.com/sssd-devel@lists.fedorahosted.org/msg06902.html

This guy succeeded, but with a combi of posixGroup and groupOfMembers. I'll try to see if I get you suggestion working, although I don't like to change the default schema too much.

Ideally nss_ldap should give us more options in this regard.

Greetz,

Fred



2012/2/22 Ponjevic, Milan <Milan.Ponjevic@travelocity.com>

Hi Fred,

 

Have you tried ‘hacking’ your schema, and change for example ‘STRUCTURAL’ to ‘AUXILIARY’. In that case you would be able to specify both posixGroup and groupOfMembers, or even use groupOfNames.

 

Have a lok at this

http://serverfault.com/questions/224750/dn-based-linux-groups-from-ldap/226267#226267

 

I am also struggling to understand what is the best way to implement this, and I would really appreciate if somebody already done it, and can share the idea.

 

Regards

 

 

 

From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Fred van Zwieten
Sent: 22 February 2012 11:00
To: openldap-technical@openldap.org
Subject: Re: Howto implement RBAC with OU's and posixGroups

 

Howard,

So, what is the right way? Could you give me an example how to set this up or give me a reference to a good source on this?

Thank you!

Greetz,

 



2012/2/22 Howard Chu <hyc@symas.com>

Fred van Zwieten wrote:

Hi llg,

I fail to see how this solves my RBAC need.

Let me give an example:

Say, personA is in ou DeptA. Then, ideally personA would based on being in
this ou, become member of group webserver

No, when I move personA to ou DeptB, this would mean that, on the next login,
it looses it's membership to group Webserver, but now becomes member of ie
group mailservers

This way, you implement security policies based on the role of a person.

 

This is not the right way to implement roles. Generally DNs are intended to be constant (though obviously they are allowed to change, changes should be infrequent).


How could this ideally be done with OpenLDAP?

Greetz,

Fred <http://epsilon.eridani.nl>



2012/2/22 llg <llg@portaildulibre.fr <mailto:llg@portaildulibre.fr>>



   Hi,
       persons should use inetOrgPerson and PosixAccount schemas : gidNumber
   gives primary group.

   Then define specific branch ou=posix based on PosixGroup schema and add
   the uid of the person in memberUid multiple values attribute to specify
   secondary gid.

   Regards
   Llg

   Le 22/02/2012 10:22, Fred van Zwieten a écrit :

   Hi all,

   warning: openldap newbie..

   is it possible to have a person put into an OU and, because of this,
   will become member of some group in such a way that this group shows up
   in linux using "id". This to implement some form of RBAC. I found
   GroupofMembers, but that has nothing to do with OU's. Also, it seems
   posixGroup and groupOfMembers objecttypes are no longer allowed together
   because the are both STRUCTURAL.

   In AD this is possible.

   Greetz,

   Fred <http://epsilon.eridani.nl>

 



--
 -- Howard Chu
 CTO, Symas Corp.           http://www.symas.com
 Director, Highland Sun     http://highlandsun.com/hyc/
 Chief Architect, OpenLDAP  http://www.openldap.org/project/