← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2112477] [NEW] Problems with AD nested groups

 

Public bug reported:

There are some issues with the implementation of AD nested groups from
LP #1638603

It works fine when listing the groups a user belongs to, but fails when
listing all members of a group. This function of listing all members is
also used to check if a user belongs to a group which also fails.

The queries to achieve this are outlined here:
https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN#operators

It mentions how to get all groups a user belongs to but does not show
the query to get all members of a group.

>From that document I have derived a query to get all users from a group.
That entails using the users base and querying
(memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x) but this
is not what keystone is doing.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2112477

Title:
  Problems with AD nested groups

Status in OpenStack Identity (keystone):
  New

Bug description:
  There are some issues with the implementation of AD nested groups from
  LP #1638603

  It works fine when listing the groups a user belongs to, but fails
  when listing all members of a group. This function of listing all
  members is also used to check if a user belongs to a group which also
  fails.

  The queries to achieve this are outlined here:
  https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN#operators

  It mentions how to get all groups a user belongs to but does not show
  the query to get all members of a group.

  From that document I have derived a query to get all users from a
  group. That entails using the users base and querying
  (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x) but
  this is not what keystone is doing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2112477/+subscriptions