Bug Reference

CLOUDSTACK-6280 

Branch

master, patches will be submitted through review board

Introduction

Purpose

This will add LDAP users authorization capability to cloudstack. Will also add multiple LDAP servers support.

Current Scenario

Now, once ldap is configured, cloudstack makes the call to ldap server for authentication. other than that, all the roles/policies comes from the already created/imported users on cloudstack. cloudstack doesnt map the native roles to the ones in ldap. 

multiple domains/ldap servers are also not supported. through we can add multiple ldap server, its used only for load balancing and the rest of the setting are same for all the servers.

Feature Specifications

  • mapping of LDAP user groups to ACS groups. This will handle all the permissions.
    • The group info should be updated everytime a users logs in
  • mapping of LDAP basedn to ACS Domains so that all the users in domain can be authenticated against ldap conf. This will add multiple LDAP server support
    • If a domain has LDAP enabled, all the users in that domain should be able to authenticate against that ldap config only.
    • The global ldap setting should continue to exist and if nothing is configured in the domain level, it should fallback to the global LDAP config. This will also handle the upgrade scenario.
  • Concurrent support for Local as well as LDAP users for authentication and authorization
    • Provide a global flag with options: LDAP-only, LDAP-then-Local, Local-then-LDAP, Local-only

Use cases

  • If an organisation is having multiple ldap forests/basedn/configurations, they will be able to use ACS ldap integration after this change
  • This will also eliminate the manual process of assigning proper roles to imported LDAP users
  • This will not automatically sync/delete the imported or deleted ldap users in cloudstack. It will only update their roles when they authenticate.

DB changes

  • ldap_configuration table will be modifed and all the ldap configurations which are in the global, configurations table will be moved here
  • a new column will be added to the domain table with a foreign key to ldap_configuration

Web Services APIs

  • getLdapGroups for a user 
    • this will return all the ldap groups for a given user
    • this information will be used to map ldap groups to ACS groups
  • addLdapConfiguration 
    • This will be modified to take all the ldap configurations like basedn, bind priciple, password etc.
  • listLdapConfigurations
    • this command will return all the info taken by addLdapConfiguration cmd
  • ldapCreateAccount, importLdapUsers, listLdapUsers, searchLdap
    • these will take an additional ldap_configuration id param

UI scenarios

  1. UI for mapping of ldap user groups to ACS groups using ldap and IAM apis
  2. configuring ldap for a domain
  3. showing all the relevant ldap conf under ldap configuration tab
  4. in the add ldap account dialog, 
    1. adding support for selecting the ldap configuration to use
    2. change the ldap group text box to a drop down
  • No labels