Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1437324

Summary: rolebindings not applied to users in nested LDAP groups
Product: OpenShift Container Platform Reporter: Brennan Vincello <bvincell>
Component: apiserver-authAssignee: Mo <mkhan>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, bvincell, eparis, haowang, jliggitt, jswensso, mfojtik, nnosenzo, skuznets, smunilla
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Nested group sync between Openshift and Active Directory Reason: It is common to have nested groups in Active Directory. Users wanted to be able to sync such groups with Openshift. This feature was always supported, but lacked any formal documentation and was difficult to discover. Result: Docs added at https://docs.openshift.org/latest/install_config/syncing_groups_with_ldap.html#sync-ldap-nested-example
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-10 05:20:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brennan Vincello 2017-03-30 05:32:02 UTC 
Description of problem:

Permissions for nested LDAP groups are not applied as expected for users in nested groups. 

For example: OSE-CLUSTER-ADMINS -> ITS-OSE-ADMINS -> Smith, John
    - Adding the cluster role "cluster-admin" to the group OSE-CLUSTER-ADMINS, rights do not propagate down to Smith, John

The privileges only apply properly if users are directly in the LDAP group getting permissions.

Expected outcome:

Rights propagated to users in nested groups.

Version-Release number of selected component (if applicable): OCP 3.4

How reproducible: Very

Steps to Reproduce:

oadm groups sync --sync-config=ldap_sync_new.yaml
oadm groups sync --sync-config=/root/ldap_sync_new.yaml --confirm --match-server-version
oadm policy add-cluster-role-to-group cluster-admin OSE-CLUSTER-ADMINS

Actual results:

Nested users do not appear in:
oc describe clusterrolebinding cluster-admins

Expected results:

Nested users added to clusterrolebinding

Additional info: n/a
Comment 1 Jordan Liggitt 2017-04-03 01:40:02 UTC 
Groups within OpenShift do not nest. If you want nested group membership in LDAP to transfer to OpenShift, the nested membership must be flattened by the group sync process.

For example, after syncing with LDAP, the OSE-CLUSTER-ADMINS group in OpenShift would contain both the direct and indirect members of the group
Comment 15 Wang Haoran 2017-05-31 02:26:19 UTC 
It works well with the guild, marked verified.
Comment 17 errata-xmlrpc 2017-08-10 05:20:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716
Comment 18 Red Hat Bugzilla 2023-09-14 03:55:47 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days