Re: Howto implement RBAC with OU's and posixGroups

To: openldap-technical@openldap.org

Subject: Re: Howto implement RBAC with OU's and posixGroups

From: Fred van Zwieten <fvzwieten@gmail.com>

Date: Wed, 22 Feb 2012 12:00:29 +0100

Authentication-results: mr.google.com; spf=pass (google.com: domain of fvzwieten@gmail.com designates 10.42.107.9 as permitted sender) smtp.mail=fvzwieten@gmail.com; dkim=pass header.i=fvzwieten@gmail.com

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=BBxJm8o5AkKD53sRVI15ClDVeEeDSGXcuba7wYiJLCw=; b=aZAf8ag/tpuBAsPvBdft25F6nUuzP3cPa/be2HGYCB8epIMrtL6CDVo0dvKSGLo437 wE0W5uokS09FkzAT4R4Y/p5kJcznuxxZG1VOEKmo84djP1+EuZkkyApRROp+14J1Aw/O hxf02Luf6BZPvhIO9Mt+q1E9cBgW4f7hzlX0w=

In-reply-to: <4F44C822.9070406@symas.com>

References: <CALVifsbKEYWmAMw+y=cZ8wDbHJC2goi9bt1Wd33sSsmfrbhzAw@mail.gmail.com> <4F44B9C0.8040907@portaildulibre.fr> <CALVifsYnQLWBBgVfdaFeZzfDdft09S3hcGLENoRYXgy2HoL3dg@mail.gmail.com> <4F44C822.9070406@symas.com>

2012/2/22 Howard Chu <hyc@symas.com>

Fred van Zwieten wrote:

Hi llg,

I fail to see how this solves my RBAC need.

Let me give an example:

Say, personA is in ou DeptA. Then, ideally personA would based on being in
this ou, become member of group webserver

No, when I move personA to ou DeptB, this would mean that, on the next login,
it looses it's membership to group Webserver, but now becomes member of ie
group mailservers

This way, you implement security policies based on the role of a person.

This is not the right way to implement roles. Generally DNs are intended to be constant (though obviously they are allowed to change, changes should be infrequent).

How could this ideally be done with OpenLDAP?

Greetz,

Fred <http://epsilon.eridani.nl>

2012/2/22 llg <llg@portaildulibre.fr <mailto:llg@portaildulibre.fr>>

Â ÂHi,
Â Â Â Âpersons should use inetOrgPerson and PosixAccount schemas : gidNumber
Â Âgives primary group.

Â ÂThen define specific branch ou=posix based on PosixGroup schema and add
Â Âthe uid of the person in memberUid multiple values attribute to specify
Â Âsecondary gid.

Â ÂRegards
Â ÂLlg

Â ÂLe 22/02/2012 10:22, Fred van Zwieten a Ãcrit :

Â ÂHi all,

Â Âwarning: openldap newbie..

Â Âis it possible to have a person put into an OU and, because of this,
Â Âwill become member of some group in such a way that this group shows up
Â Âin linux using "id". This to implement some form of RBAC. I found
Â ÂGroupofMembers, but that has nothing to do with OU's. Also, it seems
Â ÂposixGroup and groupOfMembers objecttypes are no longer allowed together
Â Âbecause the are both STRUCTURAL.

Â ÂIn AD this is possible.

Â ÂGreetz,

Â ÂFred <http://epsilon.eridani.nl>

--
Â-- Howard Chu
ÂCTO, Symas Corp. Â Â Â Â Â http://www.symas.com
ÂDirector, Highland Sun Â Â http://highlandsun.com/hyc/
ÂChief Architect, OpenLDAP Âhttp://www.openldap.org/project/