Reviewed: https://review.openstack.org/258528 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=449f1f2bdee5fe8026239667838cf2ab976806fd Submitter: Jenkins Branch: master
commit 449f1f2bdee5fe8026239667838cf2ab976806fd Author: Alexander Makarov <amaka...@mirantis.com> Date: Wed Dec 16 17:11:36 2015 +0300 Enable support for posixGroups in LDAP Support LDAP backends using POSIX goups Change-Id: Iaaf022bfdcbd26b3a29c84ff60a033f65a60302b Closes-Bug: 1526462 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1526462 Title: Need support for OpenDirectory in LDAP driver Status in OpenStack Identity (keystone): Fix Released Bug description: It is necessary to support Apple OpenDirectory as the backend for Keystone Identity. OpenDirectory uses a concept of POSIX groups, when the entities of users in the groups are represented as UIDs, not full DNs: dn: cn=group1, cn=groups,dc=domain,dc=com .... memberUid: user1 memberUid: user2 .... while in the driver of LDAP it is hardcoded that the entities could be only full DNs, like: dn: cn=group1, cn=groups,dc=domain,dc=com .... memberUid: uid=user1,cn=users,dc=domain,dc=com memberUid: uid=user2,cn=users,dc=domain,dc=com Because of this reason it is impossible to use groups in Keystone and we cannot assign the roles to the Keystone groups - Keystone doesn't recognize any user to be a part of any group. When it checks the roles, it searches for the direct user's assignments, and then for any groups which the user can be a member of. So by default the search returns nothing. We have to have an additional parameter in the config where we specify the type of the entity in the groups - whether is it currently a dn or an id. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1526462/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp