[RFE][keystone][idm/ldap backend]: is it possible to use nested group to authorize users ?
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
Hello,
Keystone is interfaced with an LDAP backend (IDM) using a specific domain to authenticate/
In general/standard configuration keystone is looking up for groups with a direct membship for the user. When we use nested group, as the user is not a direct member it does not work.
Is there any option in keystone ldap configuration that could make keystone used "memberOf" attributes of the user (instead of the group_member_
Or Are there plans to get this added a feature in OpenStack?
| Colleen Murphy (krinkle) wrote | #1 |
| Changed in keystone: | |
| status: | New → Incomplete |
| Guang Yee (guang-yee) wrote | #2 |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in keystone: | |
| status: | Incomplete → Expired |
Have you tried turning on the group_ad_nesting option? I am not sure whether the AD implementation maps to the IdM implementation at all, but the idea seems similar. If that doesn't work, we could probably implement a similar option specific to IdM.