[RFE][keystone][idm/ldap backend]: is it possible to use nested group to authorize users ?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hello,
Keystone is interfaced with an LDAP backend (IDM) using a specific domain to authenticate/
In general/standard configuration keystone is looking up for groups with a direct membship for the user. When we use nested group, as the user is not a direct member it does not work.
Is there any option in keystone ldap configuration that could make keystone used "memberOf" attributes of the user (instead of the group_member_
Or Are there plans to get this added a feature in OpenStack?
Have you tried turning on the group_ad_nesting option? I am not sure whether the AD implementation maps to the IdM implementation at all, but the idea seems similar. If that doesn't work, we could probably implement a similar option specific to IdM.