yahoo-eng-team team mailing list archive

[Robert Duncan <rduncan@xxxxxxxx>]

Public bug reported:

keystone 2014.2.2

using multi domains with one domain in AD ldap
group_filter does not work

user_filer (|(memberof=CN=group1....)(memberof=CN=group2.....))
works as expected, whereas 
group_filter (|(CN=group1...)(CN=group2...))

returns no groups in id_mapping table.
openstack group list --domain ldapdomain 
(nothing is returned)

so we have to take all the groups in the group_tree_dn

we can have thousands of groups in a directory and we don't want to take
them all. especially if we are binding to a global schema and searching
for openstack users in multiple sites.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1498569

Title:
  group_filter not working

Status in Keystone:
  New

Bug description:
  keystone 2014.2.2

  using multi domains with one domain in AD ldap
  group_filter does not work

  user_filer (|(memberof=CN=group1....)(memberof=CN=group2.....))
  works as expected, whereas 
  group_filter (|(CN=group1...)(CN=group2...))

  returns no groups in id_mapping table.
  openstack group list --domain ldapdomain 
  (nothing is returned)

  so we have to take all the groups in the group_tree_dn

  we can have thousands of groups in a directory and we don't want to
  take them all. especially if we are binding to a global schema and
  searching for openstack users in multiple sites.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1498569/+subscriptions