[openstack-dev] [keystone][barbican] Regarding exposing X-Group-xxxx in token validation

Darren J Moffat Darren.Moffat at Oracle.COM
Thu Jun 4 13:38:57 UTC 2015

On 06/04/15 14:03, Fox, Kevin M wrote:
> Some kind of intermediate mapping might be better. With ldap, I dont
> have control over the groups users are assigned since thats an
> enterprise/AD thing. There can be a lot of them. Groups to Role
> relations I guess do that mapping. Though maybe passing groups directly
> when domains can have different group meanings might be a big problem.

Agreed, and this has caused problems for other systems in the past.

For example the traditional AUTH_SYS as used by RPC for NFS only allowed 
a user to be in 16 groups because that was all the payload could hold. 
As more people moved from NIS to LDAP (and for some even when in NIS or 
NIS+) 16 groups was a big issue.

Now modern Linux and Solaris kernels support a user being in 1024 groups 
by having the consumer (the NFS server usually) check with the directory 
server (usually LDAP) when the list is exactly 16 groups.

So we know it is already common for LDAP directories to have users in a 
significant number of groups.

Darren J Moffat

More information about the OpenStack-dev mailing list