Support for LDAP posixGroups with the 'user_member_attribute' setting
When searching for a user in a role or tenant, Keystone currently searches for the user's full DN as the value of the group's member attribute. This works fine if you are using a groupOfNames or organizationalRole layout where the members are full DNs, but if you are using posixGroups, the search will never match since the member attribute value is the username (something like memberUid=joeblow).
In order for this work with posixGroups, I'm proposing we add a config setting called 'user_member_
(&(memberUid=
Without this setting, the filter would look like this:
(&(memberUid=
If 'user_member_
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Not
- Drafter:
- Brandon Miles
- Direction:
- Needs approval
- Assignee:
- Brandon Miles
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Steve Martinelli
Related branches
Related bugs
Sprints
Whiteboard
(stevemar): there have been many changes to the ldap driver since this blueprint was created, for any lingering issues, we can use bugs. refer to https:/
marking this as obsolete