Red Hat Bugzilla – Bug 830052
Add sample script that updates user roles based on LDAP group membership
Last modified: 2016-09-28 23:04:21 EDT
Pulp's LDAP integration has fairly severe limitations:
1. As Pulp performs only a single lookup, login can only be controlled based on LDAP group membership if the LDAP server provides "memberOf" attributes on User records. Many LDAP installations don't do that, instead listing group members directly in the group, without providing a reverse lookup from the users to their groups.
2. Only a single level of access can be granted automatically, and all users that pass the filter are granted that level. Any changes have to be performed later by an existing administrator.
This integration can be improved significantly (without requiring upstream changes) through the use of a cron job that, given a mapping from LDAP groups to Pulp roles, queried the LDAP server for the lists of group memebers and accessed the Pulp database directly to ensure:
1. Pulp user records for members of the LDAP group have the associated role in Pulp
2. All other Pulp user records do not have that role
This can easily be integrated with manual control of role assignments by using dedicated roles for the LDAP integration ("ldap-super-users", etc).
Marking all remaining PulpDist issues as CLOSED-EOL
It doesn't make sense to leave these issues open, as PulpDist hasn't been in active development for quite some time, and restarting development would involve a significant modernisation effort that would likely render many of these requests irrelevant.