Public bug reported:
It is necessary to support Apple OpenDirectory as the backend for
Keystone Identity.
OpenDirectory uses a concept of POSIX groups, when the entities of users
in the groups are represented as UIDs, not full DNs:
dn: cn=group1, cn=groups,dc=domain,dc=com
....
memberUid: user1
memberUid: user2
....
while in the driver of LDAP it is hardcoded that the entities could be
only full DNs, like:
dn: cn=group1, cn=groups,dc=domain,dc=com
....
memberUid: uid=user1,cn=users,dc=domain,dc=com
memberUid: uid=user2,cn=users,dc=domain,dc=com
Because of this reason it is impossible to use groups in Keystone and we
cannot assign the roles to the Keystone groups - Keystone doesn't
recognize any user to be a part of any group. When it checks the roles,
it searches for the direct user's assignments, and then for any groups
which the user can be a member of. So by default the search returns
nothing.
We have to have an additional parameter in the config where we specify
the type of the entity in the groups - whether is it currently a dn or
an id.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1526462
Title:
Need support for OpenDirectory in LDAP driver
Status in OpenStack Identity (keystone):
New
Bug description:
It is necessary to support Apple OpenDirectory as the backend for
Keystone Identity.
OpenDirectory uses a concept of POSIX groups, when the entities of
users in the groups are represented as UIDs, not full DNs:
dn: cn=group1, cn=groups,dc=domain,dc=com
....
memberUid: user1
memberUid: user2
....
while in the driver of LDAP it is hardcoded that the entities could be
only full DNs, like:
dn: cn=group1, cn=groups,dc=domain,dc=com
....
memberUid: uid=user1,cn=users,dc=domain,dc=com
memberUid: uid=user2,cn=users,dc=domain,dc=com
Because of this reason it is impossible to use groups in Keystone and
we cannot assign the roles to the Keystone groups - Keystone doesn't
recognize any user to be a part of any group. When it checks the
roles, it searches for the direct user's assignments, and then for any
groups which the user can be a member of. So by default the search
returns nothing.
We have to have an additional parameter in the config where we specify
the type of the entity in the groups - whether is it currently a dn or
an id.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1526462/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
