Bug 830052
| Summary: | Add sample script that updates user roles based on LDAP group membership | ||
|---|---|---|---|
| Product: | [Community] PulpDist | Reporter: | Nick Coghlan <ncoghlan> |
| Component: | z_other | Assignee: | Nick Coghlan <ncoghlan> |
| Status: | CLOSED EOL | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | ||
| Target Milestone: | future_maint | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-29 03:04:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Marking all remaining PulpDist issues as CLOSED-EOL It doesn't make sense to leave these issues open, as PulpDist hasn't been in active development for quite some time, and restarting development would involve a significant modernisation effort that would likely render many of these requests irrelevant. |
Pulp's LDAP integration has fairly severe limitations: 1. As Pulp performs only a single lookup, login can only be controlled based on LDAP group membership if the LDAP server provides "memberOf" attributes on User records. Many LDAP installations don't do that, instead listing group members directly in the group, without providing a reverse lookup from the users to their groups. 2. Only a single level of access can be granted automatically, and all users that pass the filter are granted that level. Any changes have to be performed later by an existing administrator. This integration can be improved significantly (without requiring upstream changes) through the use of a cron job that, given a mapping from LDAP groups to Pulp roles, queried the LDAP server for the lists of group memebers and accessed the Pulp database directly to ensure: 1. Pulp user records for members of the LDAP group have the associated role in Pulp 2. All other Pulp user records do not have that role This can easily be integrated with manual control of role assignments by using dedicated roles for the LDAP integration ("ldap-super-users", etc).