e8e56dc7c1
Active Directory has a very specific mechanism to handle nested groups. LDAP queries need to look like this: "(&(objectClass=group) (member=member:1.2.840.113556.1.4.1941:=CN=nwalnut,OU=Users,DC=EXAMPLE,DC=COM))" If a deployment is using nested groups, three queries need to be modified to support it: - list users in a group - list groups for a user - check if a user is in a group Since all three are necessary, a single configuration value ensures that the change is synchronized across all three calls. Closed-Bug: #1638603 Change-Id: Ia66f81f86d7c43fbc5ba7f18ada91c77d047f7a2
9 lines
428 B
YAML
9 lines
428 B
YAML
---
|
|
features:
|
|
- >
|
|
[`bug 1638603 <https://bugs.launchpad.net/keystone/+bug/1638603>`_]
|
|
Support nested groups in Active Directory. A new boolean option
|
|
``[ldap] group_ad_nesting`` has been added, it defaults to ``False``.
|
|
Enable the option is using Active Directory with nested groups. This
|
|
option will impact the ``list_users_in_group``, ``list_groups_for_user``,
|
|
and ``check_user_in_group`` operations. |