Bug 1888680

Summary: AD Group nesting user dn list should also use base scope
Product: Red Hat OpenStack Reporter: Christopher Brown <chris.brown>
Component: openstack-keystoneAssignee: Dave Wilde <dwilde>
Status: CLOSED WONTFIX QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: dmendiza, dwilde, ggrasza, ggrimaux, oblaut, pweeks
Target Milestone: zstreamKeywords: Triaged, ZStream
Target Release: 17.1Flags: ifrangs: needinfo? (dwilde)
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 19:28:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christopher Brown 2020-10-15 13:35:30 UTC 
Description of problem:

We currently see incomplete listing of users when connected to an AD implementation that employs nested groups. With the linked patch running in a custom container, the additional queries are performed to return the user listing we expect to see.


Version-Release number of selected component (if applicable):

RHOSP 13z12
Docker image is openstack-keystone:13.0-116

How reproducible:

Always

Steps to Reproduce:
1. openstack user list --domain <ad_domain>

Actual results:

No users are returned and no error is reported (this is not exceeding the max count as there are only ~40 users in the filter)

Expected results:

User listing returned.