yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2112477] Re: Problems with AD nested groups

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2112477@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 Aug 2025 19:14:21 -0000
Reply-to: Bug 2112477 <2112477@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/951792
Committed: https://opendev.org/openstack/keystone/commit/f8338be43073f23f3db64fa4ba658c3e1f554aa7
Submitter: "Zuul (22348)"
Branch:    master

commit f8338be43073f23f3db64fa4ba658c3e1f554aa7
Author: Jorge Merlino <jorge.merlino@xxxxxxxxxxxxx>
Date:   Wed Jun 4 13:58:17 2025 -0300

    Fix AD nested groups issues
    
    The implementation of AD nested groups searches works fine when
    listing the groups a user belongs to, but fails when listing all
    members of a group. This function of listing all members is also
    used to check if a user belongs to a group which also fails.
    This patch fixes the query for getting all users in a group.
    
    Closes-Bug: #2112477
    
    Depends-on: https://review.opendev.org/c/openstack/devstack/+/953569
    Depends-on: https://review.opendev.org/c/openstack/devstack/+/954914
    
    Change-Id: I9707e1a9bc4a334902933d6251888144f8c3bc19
    Signed-off-by: Jorge Merlino <jorge.merlino@xxxxxxxxxxxxx>


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2112477

Title:
  Problems with AD nested groups

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  There are some issues with the implementation of AD nested groups from
  LP #1638603

  It works fine when listing the groups a user belongs to, but fails
  when listing all members of a group. This function of listing all
  members is also used to check if a user belongs to a group which also
  fails.

  The queries to achieve this are outlined here:
  https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN#operators

  It mentions how to get all groups a user belongs to but does not show
  the query to get all members of a group.

  From that document I have derived a query to get all users from a
  group. That entails using the users base and querying
  (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x) but
  this is not what keystone is doing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2112477/+subscriptions

References

[Bug 2112477] [NEW] Problems with AD nested groups
From: Jorge Merlino, 2025-06-04