Red Hat Bugzilla – Bug 577829
LDAP: Feature request: Add support for dynamic groups in RH directory server
Last modified: 2014-05-27 21:33:00 EDT
Description of problem:
LDAP: User is not given the privilages of the role to which the ldap dynamic group is mapped.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a user in ldap and make this user member of a dynamic group.
2. Login as rhqadmin and search for the dynamic group and map this group to a role in rhq.
3. Logout and login as the newly created user.
4. Check the user role privileges after login.
User is not given the privileges of the role to which the ldap dynamic group is mapped.
User should have the privileges of the role to which the ldap dynamic group is mapped.
> 1. Create a user in ldap and make this user member of a dynamic group.
I'm confused here. You can't make users members of groups in RHQ, only roles.
Can you explain more about what you mean by "dyanamic group" in this context.
Can you add more detailed reproduction steps.
Context here is user is member of dynamic group in ldap and not the groups in RHQ.
This refers to creating a user in redhat directory server and making this user a member of dynamic group in redhat directory server.
1. Add a user in redhat directory server (Ex: user1)
2. Add a group in redhat directory server (Ex: dynagroup)
3. Select the member->dynamic group tab
4. Add a member (user1) to this dynamic group.
5. Login as rhqadmin to rhq.
6. Navigate to Administration->Security->Roles
7. Click on link for existing role(Ex: All Resources Role)
8. Click on 'Add To List' button in 'Assigned LDAP Groups' section.
9. Screen displays ldap dynamic group (dynagroup). Select this group and assign to the role in rhq.
10. Logout and login as the newly created user.(user1)
11. Check the user role privileges after login.
12. User should get the privileges of the role assigned to dynamic group. (All Resources Role).
Ok, thanks Sunil. I understand now. More info on RHDS groups:
A group consists of users who share a common attribute or are part of a list. Red Hat Directory Server supports three types of groups: static, dynamic, and certificate. Each group differs by the way in which users, or members, are added to it:
* A static group has members who are manually added to it, so it is static because the members do not change unless an administrator manually adds or removes users.
* A dynamic group automatically includes users based on one or more attributes in their entries; the attributes and values are determined using LDAP URLs. For example, a dynamic group can use an LDAP filter which searches for entries which contain the attributes and values st=California and department=sales. As entries are added to the directory with those two attributes, the users are automatically added as members to the dynamic group. If those attributes are removed from the entry, the entry is removed from the group.
* A certificate group includes all users who have a specific attribute-value pair in the subject name of the certificate. For example, the certificate group could be based on having the string st=California,ou=Sales,ou=West in the subject name. If a user logs onto a server using a certificate with those attributes in his certificate, the user is automatically added to the group and is granted all of the access privileges of that group. "
Simeon, you should check with Shannon but I think the only group type we're going to be able to support right now is Static. I think the issue we're hitting is that there is no reference from the user back to the group for dynamic or certificate groups.
We only support static ldap group members at this time.
Both 'dynamic' and 'certificate' ldap groups are similar to the RHQ concept of dynagroups in that a search 'recipe' must be defined to dynamically calculate the matching group members at query time.
As an enhancement request the following areas would require changes:
i)Admin ldap settings would need to modified to include and modify lists of search recipes for both dynamic and certificate details.
ii)LdapGroupManager.findAvailableGroupsForUser() will need to be modified to additionally include queries for dynamic & certificate groups as well.
Concerns: Or ldap synch/refresh mechanism will need to be enhanced include checks to dynamic groups as well. Uncertain if this will increase check round trips to ldap server for reverification.
closing due to inactivity.