OpenStack Identity (keystone)

Support for LDAP posixGroups with the 'user_member_attribute' setting

Registered by Brandon Miles

When searching for a user in a role or tenant, Keystone currently searches for the user's full DN as the value of the group's member attribute. This works fine if you are using a groupOfNames or organizationalRole layout where the members are full DNs, but if you are using posixGroups, the search will never match since the member attribute value is the username (something like memberUid=joeblow).

In order for this work with posixGroups, I'm proposing we add a config setting called 'user_member_attribute'. For this, you can specify the user attribute value you want to use when searching for role and tenant matches. For example, if you set 'user_member_attribute = uid', the value of the user's 'uid' attribute would be used for the tenant/role match. The search filter for a tenant lookup would look something like this:

(&(memberUid=joeblow)(objectclass=posixGroup))

Without this setting, the filter would look like this:

(&(memberUid=uid=joeblow,ou=people,dc=example,dc=com)(objectclass=posixGroup))

If 'user_member_attribute' isn't set, the default would be to use the user's full DN.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Not
Drafter:
Brandon Miles
Direction:
Needs approval
Assignee:
Brandon Miles
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Steve Martinelli

Related branches

Sprints

Whiteboard

(stevemar): there have been many changes to the ldap driver since this blueprint was created, for any lingering issues, we can use bugs. refer to https://bugs.launchpad.net/keystone/+bug/1526462

marking this as obsolete

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.