Bug 1385744 - [RFE] Nested group when retrieving users from AD
Summary: [RFE] Nested group when retrieving users from AD
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: LDAP
Version: 6.2.0
Hardware: x86_64
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Katello QA List
URL:
Whiteboard:
: 1484016 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-17 15:43 UTC by Waldirio M Pinheiro
Modified: 2022-03-13 14:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-30 14:49:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-4973 0 None None None 2021-09-09 12:03:31 UTC
Red Hat Knowledge Base (Solution) 3178161 0 None None None 2017-09-11 12:20:34 UTC

Description Waldirio M Pinheiro 2016-10-17 15:43:31 UTC
Description of problem:
Customer have two groups, the first one is principal and the second one nested, customer would like to define just the first one and Satellite should be able to query and *know* all users members of all nested groups.

Version-Release number of selected component (if applicable):
6.2

How reproducible:
100

Steps to Reproduce:
1. Create two groups
2. Add the second one as nested of first one
3. Create one user inside second group
4. Configure Satellite to authenticate
5. Try to authenticate using the user inside the second group

Actual results:
it's not possible.

Expected results:
Login normally, once Satellite should check nested groups

Additional info:

Comment 5 César Alba 2017-06-15 07:26:18 UTC
I would like the enhancement to work on any LDAP group tree if possible.

Comment 7 Waldirio M Pinheiro 2017-09-05 13:58:43 UTC
Hi all

Just one full description about the workaround.

Soon I'll prepare one kcs about it.

---

Nested groups in Satellite 6.2.x

// On AD side we have

	- domain.example
		- Users
			- normal_grp
			- nested_grp
				- testuser
	
	PS: On this case nested_grp is a group memberof normal_grp


Just some AD/Objects Information

// DN of group used on test
	CN=normal_grp,CN=Users,DC=Domain,DC=example


On Satellite side

// When adding this LDAP filter, we enable all members of normal_grp to login but not nested users
	(&(objectCategory=Person)(sAMAccountName=*)(memberOf:=CN=normal_grp,CN=Users,DC=Domain,DC=example))

// When adding the code *1.2.840.113556.1.4.1941* on the filter, we enable nested users to login
	(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=normal_grp,CN=Users,DC=Domain,DC=example))


Best Regards
-- 
Waldirio M Pinheiro | Senior Software Maintenance Engineer

Comment 8 Waldirio M Pinheiro 2017-09-05 14:58:35 UTC
Hello all

https://access.redhat.com/solutions/3172711

Best Regards
-- 
Waldirio M Pinheiro | Senior Software Maintenance Engineer

Comment 9 Nagoor Shaik 2017-09-11 09:57:21 UTC
*** Bug 1484016 has been marked as a duplicate of this bug. ***

Comment 10 Bryan Kearney 2018-11-01 14:44:08 UTC
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is  not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Rich Jerrido or Bryan Kearney or your account team. If we do not hear from you, we will close this bug out. Thank you.

Comment 11 Bryan Kearney 2018-11-30 14:49:56 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Rich Jerrido or Bryan Kearney. Thank you.


Note You need to log in before you can comment on or make changes to this bug.