Bug 830052 - Add sample script that updates user roles based on LDAP group membership
Add sample script that updates user roles based on LDAP group membership
Product: PulpDist
Classification: Community
Component: z_other (Show other bugs)
Unspecified Unspecified
medium Severity medium
: future_maint
: ---
Assigned To: Nick Coghlan
Depends On:
  Show dependency treegraph
Reported: 2012-06-08 01:30 EDT by Nick Coghlan
Modified: 2016-09-28 23:04 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-09-28 23:04:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nick Coghlan 2012-06-08 01:30:31 EDT
Pulp's LDAP integration has fairly severe limitations:

1. As Pulp performs only a single lookup, login can only be controlled based on LDAP group membership if the LDAP server provides "memberOf" attributes on User records. Many LDAP installations don't do that, instead listing group members directly in the group, without providing a reverse lookup from the users to their groups.

2. Only a single level of access can be granted automatically, and all users that pass the filter are granted that level. Any changes have to be performed later by an existing administrator.

This integration can be improved significantly (without requiring upstream changes) through the use of a cron job that, given a mapping from LDAP groups to Pulp roles, queried the LDAP server for the lists of group memebers and accessed the Pulp database directly to ensure:

1. Pulp user records for members of the LDAP group have the associated role in Pulp
2. All other Pulp user records do not have that role

This can easily be integrated with manual control of role assignments by using dedicated roles for the LDAP integration ("ldap-super-users", etc).
Comment 1 Nick Coghlan 2016-09-28 23:04:21 EDT
Marking all remaining PulpDist issues as CLOSED-EOL

It doesn't make sense to leave these issues open, as PulpDist hasn't been in active development for quite some time, and restarting development would involve a significant modernisation effort that would likely render many of these requests irrelevant.

Note You need to log in before you can comment on or make changes to this bug.