Fred van Zwieten wrote:

What I mean with "this" in "in AD this is possible" is the fact that you can assign group membership to OU membership (When user A is member of OU B, user A will become member of group C".

Afaik this is not possible with OpenLDAP. If it is, I would really like to know how. My only bet is with dynamic groups/list, but I have no idea how.

It is possible, but it is stupid. An entry can only reside under a single parent, but in most organizations a user can occupy multiple roles. The approach you're pursuing is a dead end.

Fred

2012/2/23 Buchan Milne <bgmilne@staff.telkomsa.net mailto:bgmilne@staff.telkomsa.net>

On Wednesday, 22 February 2012 11:22:55 Fred van Zwieten wrote:
 > Hi all,
 >
 > warning: openldap newbie..
 >
 > is it possible to have a person put into an OU and, because of this, will
 > become member of some group in such a way that this group shows up in linux
 > using "id". This to implement some form of RBAC. I found GroupofMembers,
 > but that has nothing to do with OU's. Also, it seems posixGroup and
 > groupOfMembers objecttypes are no longer allowed together because the are
 > both STRUCTURAL.

Not in nis.schema, but in rfc2307bis.schema, posixGroup is not structural.

 > In AD this is possible.

It is possible in OpenLDAP too. Just now with nis.schema. Most LDAP clients
support rfc2307bis.