Reviewed: https://review.openstack.org/389316 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83 Submitter: Jenkins Branch: master
commit e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83 Author: Adam Young <email address hidden> Date: Thu Oct 20 14:51:27 2016 -0400
Support nested groups in Active Directory
Active Directory has a very specific mechanism to handle nested groups. LDAP queries need to look like this:
"(&(objectClass=group) (member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"
If a deployment is using nested groups, three queries need to be modified to support it:
- list users in a group - list groups for a user - check if a user is in a group
Since all three are necessary, a single configuration value ensures that the change is synchronized across all three calls.
Closed-Bug: #1638603 Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2
Reviewed: https:/ /review. openstack. org/389316 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=e8e56dc7c16 b23f45eb3b041ff 2b5e9c8df11f83
Committed: https:/
Submitter: Jenkins
Branch: master
commit e8e56dc7c16b23f 45eb3b041ff2b5e 9c8df11f83
Author: Adam Young <email address hidden>
Date: Thu Oct 20 14:51:27 2016 -0400
Support nested groups in Active Directory
Active Directory has a very specific mechanism to
handle nested groups. LDAP queries need to look like this:
"(& (objectClass= group)
(member= member: 1.2.840. 113556. 1.4.1941: =CN=nwalnut, OU=Users, DC=EXAMPLE, DC=COM) )"
If a deployment is using nested groups, three queries need to be
modified to support it:
- list users in a group
- list groups for a user
- check if a user is in a group
Since all three are necessary, a single configuration value ensures
that the change is synchronized across all three calls.
Closed-Bug: #1638603 fbc5ba7f18ada91 c77d047f7a2
Change-Id: Ia66f81f86d7c43