Reviewed: https://review.opendev.org/c/openstack/keystone/+/951792 Committed: https://opendev.org/openstack/keystone/commit/f8338be43073f23f3db64fa4ba658c3e1f554aa7 Submitter: "Zuul (22348)" Branch: master
commit f8338be43073f23f3db64fa4ba658c3e1f554aa7 Author: Jorge Merlino <[email protected]> Date: Wed Jun 4 13:58:17 2025 -0300 Fix AD nested groups issues The implementation of AD nested groups searches works fine when listing the groups a user belongs to, but fails when listing all members of a group. This function of listing all members is also used to check if a user belongs to a group which also fails. This patch fixes the query for getting all users in a group. Closes-Bug: #2112477 Depends-on: https://review.opendev.org/c/openstack/devstack/+/953569 Depends-on: https://review.opendev.org/c/openstack/devstack/+/954914 Change-Id: I9707e1a9bc4a334902933d6251888144f8c3bc19 Signed-off-by: Jorge Merlino <[email protected]> ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2112477 Title: Problems with AD nested groups Status in OpenStack Identity (keystone): Fix Released Bug description: There are some issues with the implementation of AD nested groups from LP #1638603 It works fine when listing the groups a user belongs to, but fails when listing all members of a group. This function of listing all members is also used to check if a user belongs to a group which also fails. The queries to achieve this are outlined here: https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN#operators It mentions how to get all groups a user belongs to but does not show the query to get all members of a group. From that document I have derived a query to get all users from a group. That entails using the users base and querying (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x) but this is not what keystone is doing. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2112477/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
