Public bug reported: There are some issues with the implementation of AD nested groups from LP #1638603
It works fine when listing the groups a user belongs to, but fails when listing all members of a group. This function of listing all members is also used to check if a user belongs to a group which also fails. The queries to achieve this are outlined here: https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN#operators It mentions how to get all groups a user belongs to but does not show the query to get all members of a group. >From that document I have derived a query to get all users from a group. That entails using the users base and querying (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x) but this is not what keystone is doing. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2112477 Title: Problems with AD nested groups Status in OpenStack Identity (keystone): New Bug description: There are some issues with the implementation of AD nested groups from LP #1638603 It works fine when listing the groups a user belongs to, but fails when listing all members of a group. This function of listing all members is also used to check if a user belongs to a group which also fails. The queries to achieve this are outlined here: https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN#operators It mentions how to get all groups a user belongs to but does not show the query to get all members of a group. From that document I have derived a query to get all users from a group. That entails using the users base and querying (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x) but this is not what keystone is doing. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2112477/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
