[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Howto implement RBAC with OU's and posixGroups

To: openldap-technical@openldap.org
Subject: Re: Howto implement RBAC with OU's and posixGroups
From: Fred van Zwieten <fvzwieten@gmail.com>
Date: Wed, 22 Feb 2012 11:12:21 +0100
Authentication-results: mr.google.com; spf=pass (google.com: domain of fvzwieten@gmail.com designates 10.50.208.4 as permitted sender) smtp.mail=fvzwieten@gmail.com; dkim=pass header.i=fvzwieten@gmail.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=08qXxxd0tA/dkNI+n3yuB0jB8aZw25V6g99bh4eADIc=; b=lWZPQQoT/XqQAriedEPZpU/mm++AD4S3NzcaTHTzZc5NyF4M/qgjohFHTv2Dpfsl7R wHwqzobL1Qxv0r5RJXb8GSXjqdXO6so6nA1ZG2Ju+ZK+QKWnxDYs91YlbM55ArWS3T5b QhJsmaurgo9KiAQbHEocAToO2DV/TdR4HzeG4=
In-reply-to: <4F44B9C0.8040907@portaildulibre.fr>
References: <CALVifsbKEYWmAMw+y=cZ8wDbHJC2goi9bt1Wd33sSsmfrbhzAw@mail.gmail.com> <4F44B9C0.8040907@portaildulibre.fr>

Hi llg,

I fail to see how this solves my RBAC need.

Let me give an example:

Say, personA is in ou DeptA. Then, ideally personA would based on being in this ou, become member of group webserver

No, when I move personA to ou DeptB, this would mean that, on the next login, it looses it's membership to group Webserver, but now becomes member of ie group mailservers

This way, you implement security policies based on the role of a person.

How could this ideally be done with OpenLDAP?

Greetz,

Fred

2012/2/22 llg <llg@portaildulibre.fr>

Hi,
ÂÂ persons should use inetOrgPerson and PosixAccount schemas : gidNumber gives primary group.

Then define specific branch ou=posix based on PosixGroup schema and add the uid of the person in memberUid multiple values attribute to specify secondary gid.

Regards
Llg

Le 22/02/2012 10:22, Fred van Zwieten a ÃcritÂ:
Hi all,

warning: openldap newbie..

is it possible to have a person put into an OU and, because of this, will become member of some group in such a way that this group shows up in linux using "id". This to implement some form of RBAC. I found GroupofMembers, but that has nothing to do with OU's. Also, it seems posixGroup and groupOfMembers objecttypes are no longer allowed together because the are both STRUCTURAL.

In AD this is possible.

Greetz,

Fred

Follow-Ups:
- Re: Howto implement RBAC with OU's and posixGroups
  - From: Howard Chu <hyc@symas.com>

References:
- Howto implement RBAC with OU's and posixGroups
  - From: Fred van Zwieten <fvzwieten@gmail.com>
- Re: Howto implement RBAC with OU's and posixGroups
  - From: llg <llg@portaildulibre.fr>

Prev by Date: Re: DEL don't get synced
Next by Date: Re: DEL don't get synced
Index(es):
- Chronological
- Thread