[Yahoo-eng-team] [Bug 1834304] [NEW] [RFE][keystone][idm/ldap backend]: is it possible to use nested group to authorize users ?

Wed, 26 Jun 2019 02:16:16 -0700 

Public bug reported:

Hello,

Keystone is interfaced with an LDAP backend (IDM) using a specific
domain to authenticate/authorize users to access openstack APIs. We
assign a role to a specific group to a specific project. In order to
simplify IDM configuration, I would like to use nested group but I do
not manage to configure it. I am not even sure it is possible.

In general/standard configuration keystone is looking up for groups with
a direct membship for the user. When we use nested group, as the user is
not a direct member it does not work.

Is there any option in keystone ldap configuration that could make
keystone used  "memberOf" attributes of the user (instead of the
group_member_attribute) to determine the group membership.

Or Are there plans to get this added a feature in OpenStack?

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: ldap

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1834304

Title:
  [RFE][keystone][idm/ldap backend]: is it possible to use nested group
  to authorize users ?

Status in OpenStack Identity (keystone):
  New

Bug description:
  Hello,

  Keystone is interfaced with an LDAP backend (IDM) using a specific
  domain to authenticate/authorize users to access openstack APIs. We
  assign a role to a specific group to a specific project. In order to
  simplify IDM configuration, I would like to use nested group but I do
  not manage to configure it. I am not even sure it is possible.

  In general/standard configuration keystone is looking up for groups
  with a direct membship for the user. When we use nested group, as the
  user is not a direct member it does not work.

  Is there any option in keystone ldap configuration that could make
  keystone used  "memberOf" attributes of the user (instead of the
  group_member_attribute) to determine the group membership.

  Or Are there plans to get this added a feature in OpenStack?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1834304/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to