yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1834304] Re: [RFE][keystone][idm/ldap backend]: is it possible to use nested group to authorize users ?

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1834304@xxxxxxxxxxxxxxxxxx>
Date: Sun, 29 Sep 2019 04:17:47 -0000
Reply-to: Bug 1834304 <1834304@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for OpenStack Identity (keystone) because there has been no
activity for 60 days.]

** Changed in: keystone
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1834304

Title:
  [RFE][keystone][idm/ldap backend]: is it possible to use nested group
  to authorize users ?

Status in OpenStack Identity (keystone):
  Expired

Bug description:
  Hello,

  Keystone is interfaced with an LDAP backend (IDM) using a specific
  domain to authenticate/authorize users to access openstack APIs. We
  assign a role to a specific group to a specific project. In order to
  simplify IDM configuration, I would like to use nested group but I do
  not manage to configure it. I am not even sure it is possible.

  In general/standard configuration keystone is looking up for groups
  with a direct membship for the user. When we use nested group, as the
  user is not a direct member it does not work.

  Is there any option in keystone ldap configuration that could make
  keystone used  "memberOf" attributes of the user (instead of the
  group_member_attribute) to determine the group membership.

  Or Are there plans to get this added a feature in OpenStack?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1834304/+subscriptions

References

[Bug 1834304] [NEW] [RFE][keystone][idm/ldap backend]: is it possible to use nested group to authorize users ?
From: Rohit Londhe, 2019-06-26