Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1437324 - rolebindings not applied to users in nested LDAP groups [NEEDINFO]
rolebindings not applied to users in nested LDAP groups
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.4.0
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Mo
Chuan Yu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-30 01:32 EDT by Brennan Vincello
Modified: 2017-08-16 15 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Nested group sync between Openshift and Active Directory Reason: It is common to have nested groups in Active Directory. Users wanted to be able to sync such groups with Openshift. This feature was always supported, but lacked any formal documentation and was difficult to discover. Result: Docs added at https://docs.openshift.org/latest/install_config/syncing_groups_with_ldap.html#sync-ldap-nested-example
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-10 01:20:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mkhan: needinfo? (bvincell)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Github openshift/openshift-docs/pull/4315 None None None 2017-05-30 04:31 EDT
Github openshift/origin/issues/12168 None None None 2017-05-30 04:33 EDT
Red Hat Product Errata RHEA-2017:1716 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 05:02:50 EDT

  None (edit)
Description Brennan Vincello 2017-03-30 01:32:02 EDT 
Description of problem:

Permissions for nested LDAP groups are not applied as expected for users in nested groups. 

For example: OSE-CLUSTER-ADMINS -> ITS-OSE-ADMINS -> Smith, John
    - Adding the cluster role "cluster-admin" to the group OSE-CLUSTER-ADMINS, rights do not propagate down to Smith, John

The privileges only apply properly if users are directly in the LDAP group getting permissions.

Expected outcome:

Rights propagated to users in nested groups.

Version-Release number of selected component (if applicable): OCP 3.4

How reproducible: Very

Steps to Reproduce:

oadm groups sync --sync-config=ldap_sync_new.yaml
oadm groups sync --sync-config=/root/ldap_sync_new.yaml --confirm --match-server-version
oadm policy add-cluster-role-to-group cluster-admin OSE-CLUSTER-ADMINS

Actual results:

Nested users do not appear in:
oc describe clusterrolebinding cluster-admins

Expected results:

Nested users added to clusterrolebinding

Additional info: n/a
Comment 1 Jordan Liggitt 2017-04-02 21:40:02 EDT 
Groups within OpenShift do not nest. If you want nested group membership in LDAP to transfer to OpenShift, the nested membership must be flattened by the group sync process.

For example, after syncing with LDAP, the OSE-CLUSTER-ADMINS group in OpenShift would contain both the direct and indirect members of the group
Comment 15 Wang Haoran 2017-05-30 22:26:19 EDT 
It works well with the guild, marked verified.
Comment 17 errata-xmlrpc 2017-08-10 01:20:02 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.