Bug 1041936

Summary: [RFE][keystone]: Support for LDAP posixGroups with the 'user_member_attribute' setting
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/ldap-posixgroup-support
Whiteboard: upstream_milestone_none upstream_status_unknown upstream_definition_obsolete
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 16:54:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 20:10:11 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/ldap-posixgroup-support.

Description:

When searching for a user in a role or tenant, Keystone currently searches for the user's full DN as the value of the group's member attribute.  This works fine if you are using a groupOfNames or organizationalRole layout where the members are full DNs, but if you are using posixGroups, the search will never match since the member attribute value is the username (something like memberUid=joeblow).

In order for this work with posixGroups, I'm proposing we add a config setting called 'user_member_attribute'.  For this, you can specify the user attribute value you want to use when searching for role and tenant matches.  For example, if you set 'user_member_attribute = uid', the value of the user's 'uid' attribute would be used for the tenant/role match.  The search filter for a tenant lookup would look something like this:

(&(memberUid=joeblow)(objectclass=posixGroup))

Without this setting, the filter would look like this:

(&(memberUid=uid=joeblow,ou=people,dc=example,dc=com)(objectclass=posixGroup))

If 'user_member_attribute' isn't set, the default would be to use the user's full DN.

Specification URL (additional information):

None