Description of problem: Permissions for nested LDAP groups are not applied as expected for users in nested groups. For example: OSE-CLUSTER-ADMINS -> ITS-OSE-ADMINS -> Smith, John - Adding the cluster role "cluster-admin" to the group OSE-CLUSTER-ADMINS, rights do not propagate down to Smith, John The privileges only apply properly if users are directly in the LDAP group getting permissions. Expected outcome: Rights propagated to users in nested groups. Version-Release number of selected component (if applicable): OCP 3.4 How reproducible: Very Steps to Reproduce: oadm groups sync --sync-config=ldap_sync_new.yaml oadm groups sync --sync-config=/root/ldap_sync_new.yaml --confirm --match-server-version oadm policy add-cluster-role-to-group cluster-admin OSE-CLUSTER-ADMINS Actual results: Nested users do not appear in: oc describe clusterrolebinding cluster-admins Expected results: Nested users added to clusterrolebinding Additional info: n/a
Groups within OpenShift do not nest. If you want nested group membership in LDAP to transfer to OpenShift, the nested membership must be flattened by the group sync process. For example, after syncing with LDAP, the OSE-CLUSTER-ADMINS group in OpenShift would contain both the direct and indirect members of the group
It works well with the guild, marked verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days