OpenStack Identity (keystone)

  1. Bug #1638603
  2. Comment #3

Comment 3 for bug 1638603

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/389316
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83
Submitter: Jenkins
Branch: master

commit e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83
Author: Adam Young <email address hidden>
Date: Thu Oct 20 14:51:27 2016 -0400

    Support nested groups in Active Directory

    Active Directory has a very specific mechanism to
    handle nested groups. LDAP queries need to look like this:

    "(&(objectClass=group)
       (member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"

    If a deployment is using nested groups, three queries need to be
    modified to support it:

      - list users in a group
      - list groups for a user
      - check if a user is in a group

    Since all three are necessary, a single configuration value ensures
    that the change is synchronized across all three calls.

    Closed-Bug: #1638603
    Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2