yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1638603] Re: Identity LDAP does not support AD nested groups

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1638603@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Nov 2016 05:03:49 -0000
Reply-to: Bug 1638603 <1638603@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: In Progress => Fix Released

** Also affects: keystone/newton
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1638603

Title:
  Identity LDAP does not support AD nested groups

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) newton series:
  New

Bug description:
  Active Directory has a very specific mechanism to
  handle nested groups.  LDAP queries need to look like this:

  "(&(objectClass=group)(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"

  If a deployment is using nested groups, three queries need to be
  modified to support it:

  list users in a group
  list groups for a user
  check if a user is in a group

  Since all three are necessary, a single configuration value ensures
  that the change is synchronized across all three calls.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1638603/+subscriptions

References

[Bug 1638603] [NEW] Identity LDAP does not support AD nested groups
From: Adam Young, 2016-11-02