Public bug reported: Active Directory has a very specific mechanism to handle nested groups. LDAP queries need to look like this:
"(&(objectClass=group)(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))" If a deployment is using nested groups, three queries need to be modified to support it: list users in a group list groups for a user check if a user is in a group Since all three are necessary, a single configuration value ensures that the change is synchronized across all three calls. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1638603 Title: Identity LDAP does not support AD nested groups Status in OpenStack Identity (keystone): New Bug description: Active Directory has a very specific mechanism to handle nested groups. LDAP queries need to look like this: "(&(objectClass=group)(member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))" If a deployment is using nested groups, three queries need to be modified to support it: list users in a group list groups for a user check if a user is in a group Since all three are necessary, a single configuration value ensures that the change is synchronized across all three calls. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1638603/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp