group_filter not working
Bug #1498569 reported by
Robert Duncan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Unassigned | ||
python-openstackclient |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
keystone 2014.2.2
using multi domains with one domain in AD ldap
group_filter does not work
user_filer (|(memberof=
works as expected, whereas
group_filter (|(CN=group1.
returns no groups in id_mapping table.
openstack group list --domain ldapdomain
(nothing is returned)
so we have to take all the groups in the group_tree_dn
we can have thousands of groups in a directory and we don't want to take them all. especially if we are binding to a global schema and searching for openstack users in multiple sites.
tags: | added: ldap |
Changed in keystone: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in python-openstackclient: | |
assignee: | nobody → Mohan (mmuppidi) |
Changed in python-openstackclient: | |
assignee: | Mohan (mmuppidi) → nobody |
Changed in python-openstackclient: | |
assignee: | nobody → Mohan (mmuppidi) |
Changed in python-openstackclient: | |
assignee: | Mohan (mmuppidi) → nobody |
Changed in python-openstackclient: | |
status: | Triaged → Won't Fix |
To post a comment you must log in.
This is working as designed for keystone. I think this is more of an openstackclient bug -- openstackclient should support the filters that are available for user and group list (since it makes LDAP much more user friendly), these filters are both domain_id and name.
See the keystone v3 API: http:// specs.openstack .org/openstack/ keystone- specs/api/ v3/identity- api-v3. html#list- groups
openstackclient should have support for something like ... `openstack group list --domain ldapdomain --name testers`
should return all groups with "testers"