Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/ldap-posixgroup-support.

Description:

When searching for a user in a role or tenant, Keystone currently searches for the user's full DN as the value of the group's member attribute.  This works fine if you are using a groupOfNames or organizationalRole layout where the members are full DNs, but if you are using posixGroups, the search will never match since the member attribute value is the username (something like memberUid=joeblow).

In order for this work with posixGroups, I'm proposing we add a config setting called 'user_member_attribute'.  For this, you can specify the user attribute value you want to use when searching for role and tenant matches.  For example, if you set 'user_member_attribute = uid', the value of the user's 'uid' attribute would be used for the tenant/role match.  The search filter for a tenant lookup would look something like this:

(&(memberUid=joeblow)(objectclass=posixGroup))

Without this setting, the filter would look like this:

(&(memberUid=uid=joeblow,ou=people,dc=example,dc=com)(objectclass=posixGroup))

If 'user_member_attribute' isn't set, the default would be to use the user's full DN.

Specification URL (additional information):

None