Re: Howto implement RBAC with OU's and posixGroups

[Fred van Zwieten <fvzwieten@gmail.com>]

What I mean with "this" in "in AD this is possible" is the fact that you can assign group membership to OU membership (When user A is member of OU B, user A will become member of group C".

Afaik this is not possible with OpenLDAP. If it is, I would really like to know how. My only bet is with dynamic groups/list, but I have no idea how. 

Fred

2012/2/23 Buchan Milne <bgmilne@staff.telkomsa.net>

On Wednesday, 22 February 2012 11:22:55 Fred van Zwieten wrote:
> Hi all,
>
> warning: openldap newbie..
>
> is it possible to have a person put into an OU and, because of this, will
> become member of some group in such a way that this group shows up in linux
> using "id". This to implement some form of RBAC. I found GroupofMembers,
> but that has nothing to do with OU's. Also, it seems posixGroup and
> groupOfMembers objecttypes are no longer allowed together because the are
> both STRUCTURAL.

Not in nis.schema, but in rfc2307bis.schema, posixGroup is not structural.

> In AD this is possible.

It is possible in OpenLDAP too. Just now with nis.schema. Most LDAP clients
support rfc2307bis.

Regards,
Buchan