...
- Cloud admin should be able to to map AD OU / group to a Domain in CloudStack.
- While mapping a group to AD, the cloud admin should be able to specify the option to include nested groups and the profile to select for the group users (Domain Admin / normal user in case of domain mapping).
- While mapping domain to AD, admin should be able to specify an user within AD OU/group as the domain admin.
- Once a domain is mapped to an AD Group/OU, the cloud admin / domain admin will not have the option to manually import users to the domain.
- If a domain has existing users(ldap/local), they will continue to work. Admin will also be able to add new local users to the domain.
- The "Trust AD" component will automatically authenticates users in CloudStack when added to an AD group without manual setup.
- when users are removed/disabled from a group in AD, the account should be blocked access in CloudStack as well. (The resources are still provisioned and running.)
- admin should be able to enable to disable nested groups listing (new configuration)
- CloudStack api key/secret key should also be disabled for imported LDAP users in CloudStackif the user is disabled in LDAP
- If the users are removed/disabled in AD, they will be disabled in CloudStack only when the disabled/removed user tries to login.
Design
Flowchart
DB Changes
...
Automation Tests
Manual Tests
Open Issues
- When a user is disabled in LDAP, authentication in CloudStack will fail immediately. But, he will disabled in CloudStack only when he tries to login.
References
https://technet.microsoft.com/en-us/library/cc977992.aspx
...