Does OpenStack support nested groups using Active Directory authentication?
Issue
-
We have keystone configured to query Active Directory for user authentication. If I assign member or admin role to a project based on a group in which my user lives, I can login to horizon. If I assign member or admin role to a group in which the group that I am in is nested, I can not log in stating I am not authorized for any projects. The error in
keystone.logis as follows:2016-09-28 07:53:18.657 26382 DEBUG keystone.common.ldap.core [req-920c157b-f228-4d17-a50b-19a90f41b143 - - - - -] Referrals were returned and ignored. Enable referral chasing in keystone.conf via [ldap] chase_referrals convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:173 2016-09-28 07:53:18.657 26382 DEBUG keystone.common.ldap.core [req-920c157b-f228-4d17-a50b-19a90f41b143 - - - - -] LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:907 2016-09-28 07:53:18.657 26382 DEBUG keystone.identity.core [req-920c157b-f228-4d17-a50b-19a90f41b143 - - - - -] ID Mapping - Domain ID: <UUID>, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/site-packages/keystone/identity/core.py:587 2016-09-28 07:53:18.657 26382 DEBUG keystone.identity.core [req-920c157b-f228-4d17-a50b-19a90f41b143 - - - - -] Local ID: username _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/site-packages/keystone/identity/core.py:605 2016-09-28 07:53:18.660 26382 DEBUG keystone.identity.core [req-920c157b-f228-4d17-a50b-19a90f41b143 - - - - -] Found existing mapping to public ID: <UUID> _set_domain_id_and_mapping_for_single_ref /usr/lib/python2.7/site-packages/keystone/identity/core.py:618 2016-09-28 07:53:18.665 26382 DEBUG keystone.common.ldap.core [req-920c157b-f228-4d17-a50b-19a90f41b143 - - - - -] LDAP init: url=ldap://ad.example.com _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:576
Environment
- Red Hat OpenStack Platform (RHOSP) 8
- Active Directory authentication with users in nested groups
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
