I am observing the following issue:
LDAP backend is enabled for identity and assignment, domain specific
LDAP section configured - users, groups, projects and roles are mapped.
I am able to use identity v3 api to list users, groups, to verify that a
user is in a group, and also to view role assignments - everythings looks
correct so far.
I am able to create a role for user in LDAP and if I put a user directly
into a role, everything works.
But when I put a group (which contains that user) into a role - the user
I have found a spot in the code which causes the issue:
This check returns False, here is why:
groupdns = ['cn=GroupX,ou=Groups,ou=YYY,dc=...']
roleassignment.user_dn = 'cn=UserX,ou=Users,ou=YYY,dc=...'
Therefore the check:
if roleassignment.userdn.upper() in group_dns
Will return false. I do not understand how this should work - why should
userdn match groupdn?
OpenStack Escalations Engineer
OpenStack Development Mailing List (not for usage questions)