Bug 1301425
Summary: | OpenShift v3's LDAP authentication doesn't handle inheritance group (groups-in-groups) | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Kenjiro Nakayama <knakayam> |
Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> |
Status: | CLOSED ERRATA | QA Contact: | weiwei jiang <wjiang> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.1.0 | CC: | aos-bugs, erich, jliggitt, knakayam, pep, skuznets, tdawson, wsun |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-12 16:27:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1267746 |
Description
Kenjiro Nakayama
2016-01-25 01:40:52 UTC
Can you provide the LDAP sync config they are using (with any private information redacted) Extensible match support is fixed in 3.1.1. That user story is for group sync, not authentication. (In reply to Jordan Liggitt from comment #9) > That user story is for group sync, not authentication. Checked with: # openshift version openshift v3.1.1.907-1-g0755947 kubernetes v1.2.0-alpha.7-703-gbc4550d etcd 2.2.5 and work well. And the fake data is user1 is a member of group2 group2 is a member of group1(nested group) Am I right? > And the fake data is:
> user1 is a member of group2
> group2 is a member of group1 (nested group)
That is the correct structure. The test is to ensure a user lookup filter like this would find that user:
url: "ldap://ldap.example.com/o=Acme?sAMAccountName?sub?(memberOf:1.2.840.113556.1.4.1941:=CN=group1,OU=...,DC=...)"
(In reply to Jordan Liggitt from comment #11) > > And the fake data is: > > user1 is a member of group2 > > group2 is a member of group1 (nested group) > > That is the correct structure. The test is to ensure a user lookup filter > like this would find that user: > > url: > "ldap://ldap.example.com/o=Acme?sAMAccountName?sub?(memberOf:1.2.840.113556. > 1.4.1941:=CN=group1,OU=...,DC=...)" Thanks. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:1064 |