...
This feature enables admin to map LDAP group/OU to a CloudStack domain /account and any changes are reflected in ACS as well.
...
- Admin wants to sync a domain /account in CloudStack with LDAP group/OU
...
- Cloud admin should be able to to map AD OU / group to a Domain or Account in CloudStack.
- While mapping a group to AD, the cloud admin should be able to specify the option to include nested groups and the profile to select for the group users (Domain Admin / normal user in case of domain mapping).
- While mapping domain to AD, admin should be able to specify an user within AD OU/group as the domain admin.
- Once a domain /account is mapped to an AD Group/OU, the cloud admin / domain admin will not have the option to manually import users to the domain.
- If a domain /accounthas existing users(ldap/local), they will continue to work. Admin will also be able to add new local users to the domain.
- The "Trust AD" component will automatically authorize authenticates users in CloudStack when added to an AD group without manual setup.
- when users are removed/disabled from a group in AD, the account should be blocked access in CloudStack as well. (The resources are still provisioned and running.)
- If the users are removed/disabled in AD, they will be disabled in CloudStack only when the disabled/removed user tries to login.
- CloudStack api key/secret key should also be disabled if the user is disabled in LDAP (disabled CloudStack users as per 8)
Design
Flowchart
Image Added
DB Changes
ldap_trust_map
id | 1 | 2 |
---|
type | GROUP | OU |
---|
name | CN=Dev-Hyd,DC=ccp,DC=example,DC=net | OU=SevenSeas,DC=ccp,DC=example,DC=net |
---|
domain_id | 2 | 3 |
---|
Config changes
New configuration ldap.nested.groups.enable which can be either true or false. true indicates that the nested groups can be queried while false means only direct users are queried.
API Changes
DB Changes
Configuration Changes
UI Changes
Testing
Unit Tests
Automation Tests
Manual Tests
Open Issues
References
...
A new api to link ldap OU/domain with a CloudStack domain
- linkDomainToLdap - Admin only Api
- domainId - the domain which has to be linked
- type - OU/GROUP
- name - common name of group or OU
- accounttype - account type to be used while auto importing the accounts
- admin - domain admin username in LDAP - optional
- Response
- return the domainId, name, type, accountType on success (will also return accountid if account import of the user admin is successful)
- error message if its not successful
- Sample Api and response
- link domain and make rajanik admin
cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik
{
"LinkDomainToLdap": {
"accountid": "13",
"accounttype": 2,
"domainid": 3,
"name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",
"type": "GROUP"
}
- link domain and make rajanik admin - rajanik already exists in domain
cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik
{
"LinkDomainToLdap": {
"accounttype": 2,
"domainid": 3,
"name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",
"type": "GROUP"
}
cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP"
{
"LinkDomainToLdap": {
"accounttype": 2,
"domainid": 3,
"name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",
"type": "GROUP"
}
}
UI Changes
a pop to link ou/group to cloudstack
this should show list of domains in cloudstack and provide text fields for type, name, admin(optional) and on save call the connectDomainToLdap api
Testing
LDAP : Trust AD and Auto Import Test Plan
Open Issues
When a user is disabled in LDAP, authentication in CloudStack will fail immediately. But, he will disabled in CloudStack only when he tries to login.
References
https://technet.microsoft.com/en-us/library/cc977992.aspx
Bug Reference & Branch
CLOUDSTACK-8647