...
- Cloud admin should be able to to map AD OU / group to a Domain in CloudStack.
- While mapping a group to AD, the cloud admin should be able to specify the option to include nested groups and the profile to select for the group users (Domain Admin / normal user in case of domain mapping).
- While mapping domain to AD, admin should be able to specify an user within AD OU/group as the domain admin.
- Once a domain is mapped to an AD Group/OU, the cloud admin / domain admin will not have the option to manually import users to the domain.
- If a domain has existing users(ldap/local), they will continue to work. Admin will also be able to add new local users to the domain.
- The "Trust AD" component will automatically authenticates users in CloudStack when added to an AD group without manual setup.
- when users are removed/disabled from a group in AD, the account should be blocked access in CloudStack as well. (The resources are still provisioned and running.)
- CloudStack api key/secret key should also be disabled if the user is disabled in LDAP
- If the users are removed/disabled in AD, they will be disabled in CloudStack only when the disabled/removed user tries to login.
- CloudStack api key/secret key should also be disabled if the user is disabled in LDAP (disabled CloudStack users as per 8)
Design
Flowchart
![](/confluence/download/attachments/58851788/Trust%20LDAP%20-%20New%20Page.png?version=2&modificationDate=1434715502000&api=v2)
DB Changes
...
{"serverDuration": 194, "requestCorrelationId": "6f05ae292c0e82e9"}