OpenStack Identity (keystone)

  1. Bug #1638603
  2. Comment #4

Comment 4 for bug 1638603

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/newton)

Reviewed: https://review.openstack.org/395760
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=08ff2a4dba06d2e53b67282a228eec390af16811
Submitter: Jenkins
Branch: stable/newton

commit 08ff2a4dba06d2e53b67282a228eec390af16811
Author: Adam Young <email address hidden>
Date: Thu Oct 20 14:51:27 2016 -0400

    Support nested groups in Active Directory

    Active Directory has a very specific mechanism to
    handle nested groups. LDAP queries need to look like this:

    "(&(objectClass=group)
       (member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))"

    If a deployment is using nested groups, three queries need to be
    modified to support it:

      - list users in a group
      - list groups for a user
      - check if a user is in a group

    Since all three are necessary, a single configuration value ensures
    that the change is synchronized across all three calls.

    (cherry picked from e8e56dc7c16b23f45eb3b041ff2b5e9c8df11f83)

    Closed-Bug: #1638603
    Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2