OpenStack Identity (keystone)

Identity LDAP does not support AD nested groups

Bug #1638603 reported by Adam Young
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Adam Young
OpenStack Identity (keystone) ocata-1 "o1"
Newton
Fix Released
Undecided
Unassigned

Bug Description

Active Directory has a very specific mechanism to
handle nested groups. LDAP queries need to look like this:

"(&(objectClass=group)(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"

If a deployment is using nested groups, three queries need to be modified to support it:

list users in a group
list groups for a user
check if a user is in a group

Since all three are necessary, a single configuration value ensures
that the change is synchronized across all three calls.

Revision history for this message
Adam Young (ayoung) wrote :

To test the calls on a live server:

curl -H "X-Auth-Token: $AUTH_TOKEN" $OS_AUTH_URL/users/$USERID/groups

and

openstack user list --group

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → ocata-1
importance: Undecided → Medium
assignee: nobody → Adam Young (ayoung)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/395760

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/389316
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83
Submitter: Jenkins
Branch: master

commit e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83
Author: Adam Young <email address hidden>
Date: Thu Oct 20 14:51:27 2016 -0400

    Support nested groups in Active Directory

    Active Directory has a very specific mechanism to
    handle nested groups. LDAP queries need to look like this:

    "(&(objectClass=group)
       (member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"

    If a deployment is using nested groups, three queries need to be
    modified to support it:

      - list users in a group
      - list groups for a user
      - check if a user is in a group

    Since all three are necessary, a single configuration value ensures
    that the change is synchronized across all three calls.

    Closed-Bug: #1638603
    Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2

Steve Martinelli (stevemar)
Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/newton)

Reviewed: https://review.openstack.org/395760
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=08ff2a4dba06d2e53b67282a228eec390af16811
Submitter: Jenkins
Branch: stable/newton

commit 08ff2a4dba06d2e53b67282a228eec390af16811
Author: Adam Young <email address hidden>
Date: Thu Oct 20 14:51:27 2016 -0400

    Support nested groups in Active Directory

    Active Directory has a very specific mechanism to
    handle nested groups. LDAP queries need to look like this:

    "(&(objectClass=group)
       (member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"

    If a deployment is using nested groups, three queries need to be
    modified to support it:

      - list users in a group
      - list groups for a user
      - check if a user is in a group

    Since all three are necessary, a single configuration value ensures
    that the change is synchronized across all three calls.

    (cherry picked from e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83)

    Closed-Bug: #1638603
    Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2

tags: added: in-stable-newton
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.