I have the need to separate two different types or users:
1. Login-accounts (need access to servers)
2. Administrative accounts (no technical use, only needed for QA reasons)
Type 2 should not get mixed with type 1. The reason being, security auditors
checking our company security should not confuse these and keep their eyes
focused on type 1 accounts only.
So I created a different subtree to separate these types technically:
1: ou=css,ou=oss.....ou=unix,ou=users
2: ou=SecurityAdmins,ou=users
To make them login to a LAM profile with readonly access to QA data, I need to
include all SecurityAdmins for LAM-login. Best to be done by a group object.
Then, to administer this bunch of objects, I created a LAM profile with write
access to this ou
Unfortunately, there are users with need to login to Servers as well as QA
tasks (some teamleaders, the ldap administrators, some more to come...)
I therefore created an alias object pointing to the subtree of users and
posixgroups where these accounts are to be found.
Ex:
/dc=t-systems,dc=ch
| |
| +ou=css
| |
| +ou=oss...
| |....
| +ou=unix
| |
| +ou=posixgroups
| | |
| | +cn=P0050 (objectclass: posixgroup, member: PosixUser1)
| |
| +ou=posixusers
| |
| +uid=PosixUser1( objectclass:
posixuser,shadowaccount... )
|
+ou=SecurityAdministration
|
+ou=Accounts
| |
| +cn=PosixAccounts (objectclass: alias, extensibleObject ->
ou=posixusers)
| |
| +cn=securityGui1 (objectclass: inetOgPerson, memberof: memberof-plugin
)
| +....
|
+ou=Groups
| |
| +cn=PosixGroups (objectclass: alias, extensibleObject ->
ou=Posixgroups)
| |
| +cn=Useradmins (member: PosixUser1)
| +cn=UserReview (member: securityGui1, PosixUser1)
| |
| +....
|
+......
Now, when using an LDAP browser, I can search for uid=PosixUser1 starting from
/ou=SecurityAdmins/ou=Accounts.
I can also search for memberof=cn=Useradmins starting from the same subtree.
I get this PosixUser1 as response, as well as cn=securityGui1.
So far, I am content, but....
It is still not possible to log into the profile used for administering this
subtree using the PosixUser1.
Whereas it is perfectly possible using the cn=securityGui1 account.
(if the ascii-art ist not pretty, see attachment (hope this works in the
mailing list))
Login Configuration is like follows:
Method: ldap search
Suffix: ou=Accounts,ou=SecurityAdministration,dc=t-systems,dc=cch
Filter:
(&(uid=%USER%)(memberOf=cn=Useradmins,ou=Groups,ou=SecurityAdministration,dc=t-systems,dc=ch))
As I see, the accesses to the ldap backend are always sent using deref=0 .
Backend is openldap 2.4.40
I am not sure if that means I am complaining over a bug or a feature request.
Still learning and never stopping. Does someone have any idea?
Thanks,
Thomas
Attached artwork:
[X]
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
