Red Hat Bugzilla – Bug 1472957
Documentation update for AD include file changes
Last modified: 2017-08-08 03:59:10 EDT
Description of problem:
With this version of RHV, ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups, and it doesn't fetch domain local groups from different domains.
So, for multi domain AD environments, Customers need to change
the 'include = <ad.properties>' to 'include = <ad-recursive.properties>'.
Please provide appropriate documentation in Customer facing docs for this change.
Anitha, this is strange because we have not supported using domain local groups in multi-domain forrest at all before BZ1336707, and BZ1336707 was fixed in aaa-ldap contained in RHV 4.1.0. So:
1. If customers used domain local groups in managed-domains and they've only moved to aaa-ldap with no AD changes (especially manage-domains didn't support forrest only single domain, so they have configured aaa-ldap only to correct single domain servers), they should not face the issue
2. Customers used only single domain setup and after upgrade to 4.1 now they have changed their AD to multi-domain forrest. If so then they faced that issue.
Anyway it needs to mentioned that using domain local groups for group membership inside multi-domains forrest in not recommended by Microsoft.
Ondro, could you please provide correct steps to alter configuration and also please update DocText also in BZ1336707.
Ondra, can you please provide the steps as requested by Martin in comment 2?
The difference is described in profile itself here:
If you need any more information, please let me know.