Hi Thomas, instead of using aliases you could assign a group of names to the QA users and team leads. Then use dc=t-systems,dc=ch as login search suffix for the QA profile.
Best regards Roland Am 19. September 2018 17:51:26 MESZ schrieb [email protected]: >I have the need to separate two different types or users: >1. Login-accounts (need access to servers) >2. Administrative accounts (no technical use, only needed for QA >reasons) > >Type 2 should not get mixed with type 1. The reason being, security >auditors checking our company security should not confuse these and >keep their eyes focused on type 1 accounts only. > >So I created a different subtree to separate these types technically: > >1: ou=css,ou=oss.....ou=unix,ou=users >2: ou=SecurityAdmins,ou=users > >To make them login to a LAM profile with readonly access to QA data, I >need to include all SecurityAdmins for LAM-login. Best to be done by a >group object. >Then, to administer this bunch of objects, I created a LAM profile with >write access to this ou > >Unfortunately, there are users with need to login to Servers as well as >QA tasks (some teamleaders, the ldap administrators, some more to >come...) >I therefore created an alias object pointing to the subtree of users >and posixgroups where these accounts are to be found. > >Ex: >/dc=t-systems,dc=ch >| | >| +ou=css >| | >| +ou=oss... >| |.... >| +ou=unix >| | >| +ou=posixgroups >| | | >| | +cn=P0050 (objectclass: posixgroup, member: >PosixUser1) >| | >| +ou=posixusers >| | >| +uid=PosixUser1( objectclass: >posixuser,shadowaccount... ) >| >+ou=SecurityAdministration > | > +ou=Accounts > | | >| +cn=PosixAccounts (objectclass: alias, extensibleObject -> >ou=posixusers) > | | >| +cn=securityGui1 (objectclass: inetOgPerson, memberof: >memberof-plugin ) > | +.... > | > +ou=Groups > | | >| +cn=PosixGroups (objectclass: alias, extensibleObject -> >ou=Posixgroups) > | | > | +cn=Useradmins (member: PosixUser1) > | +cn=UserReview (member: securityGui1, PosixUser1) > | | > | +.... > | > +...... > >Now, when using an LDAP browser, I can search for uid=PosixUser1 >starting from /ou=SecurityAdmins/ou=Accounts. >I can also search for memberof=cn=Useradmins starting from the same >subtree. >I get this PosixUser1 as response, as well as cn=securityGui1. > >So far, I am content, but.... > >It is still not possible to log into the profile used for administering >this subtree using the PosixUser1. >Whereas it is perfectly possible using the cn=securityGui1 account. > >(if the ascii-art ist not pretty, see attachment (hope this works in >the mailing list)) > >Login Configuration is like follows: >Method: ldap search >Suffix: ou=Accounts,ou=SecurityAdministration,dc=t-systems,dc=cch >Filter: >(&(uid=%USER%)(memberOf=cn=Useradmins,ou=Groups,ou=SecurityAdministration,dc=t-systems,dc=ch)) > >As I see, the accesses to the ldap backend are always sent using >deref=0 . Backend is openldap 2.4.40 > >I am not sure if that means I am complaining over a bug or a feature >request. >Still learning and never stopping. Does someone have any idea? > >Thanks, >Thomas > >Attached artwork: > > >[X]
_______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
