Thursday, 2022-05-05

*** rlandy|bbl is now known as rlandy|out00:55
*** EugenMayer4 is now known as EugenMayer01:54
criehferwe're closed. Gotta leave03:26
criehferwe're closed. you have to leave03:36
*** rlandy|out is now known as rlandy10:25
*** soniya29 is now known as soniya29|afk12:27
LarsErikPHi! Do any of you have keystone integraded with AD, with working group member listing?12:45
LarsErikPeverything works on my side, I can grant access to projects to AD-groups. But I can not list the actual group members..12:45
LarsErikPI.e with "openstack user list --domain FOO --group foo-group"12:46
LarsErikPand the "openstack group contains user ..." command always returns "user not in group"12:46
grami[m]LarsErikP: I think most people will stay away from using AD as they see it as a corporate infrastructure rather then the product infrastructure, but it's really up to the company. It also I believe as I don't keep up with windows stuff that it keeps changing how the grouping works. My advice would be setup your own ldap and define the layout you need also maybe look at kerberos or even federation.  13:11
LarsErikPhehe. MS specifically _don't_ change how anything works in AD, because that would literally break the entire enterprise wold. So that's not an issue :P13:14
LarsErikPAnd as I said. Everything works fine with auth etc. It's just "weird" that I can't list the group members; since keystone obviously are able to read group members elsewhere in the code (given that it works perfectly fine to grant project access to a group)13:16
BedManI think you might be able to look at the authentication code to determine how it works, then backport that to the user list commands13:54
BedManbut it is coming at the problem from opposite points of view...13:54
BedManso that might not cover it :(13:54
*** soniya is now known as soniya|afk14:15
*** soniya|afk is now known as soniya15:11
*** rlandy is now known as rlandy|bbl22:36

Generated by 2.17.3 by Marius Gedminas - find it at!