Bug 1380874

Summary: RFE: Keystone should be able to handle nested groups within Active Directory domains
Product: Red Hat OpenStack Reporter: nalmond
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED WONTFIX QA Contact: nlevinki <nlevinki>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: ayoung, byount, jdennis, jschluet, kbasil, nkinder, srevivo
Target Milestone: ---Keywords: FutureFeature, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1385438 (view as bug list) Environment:
Last Closed: 2017-01-16 20:11:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1385438, 1385439    

Description nalmond 2016-09-30 21:48:54 UTC 
- What is the nature and description of the request? 
Keystone should be able to list and authenticate with Active Directory users that are members of a subgroup of a higher level group. If the upper group has a given role, users that are members of groups below (but not the upper group directly) should also have the same roles.

- Why does the customer need this? (List the business requirements here) 
To integrate with an existing Active Directory server and allow users to authenticate based on permissions set across a broad scope of groups.

- How would the customer like to achieve this? (List the functional requirements here) 

Add support in keystone to correctly perform ldap queries that require memberof:1.2.840.113556.1.4.1941: as part of the query.

- For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

'openstack user list --domain AD --group subgroup' should list all users that are members of the group 'subgroup', not just those that are also members of the parent group.

- Is there already an existing RFE upstream or in Red Hat Bugzilla?
no