You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Project Aims:

The aim of this project is to provide an more effective mechanism to provision users from LDAP into cloudstack. Currently cloudstack enables LDAP authentication. In this authentication users must be first setup in cloudstack. Once the user is setup in cloudstack they can authenticate using their ldap username and password. This project will improve Cloudstack LDAP integration by enabling users be setup automatically using their LDAP credentials.

A detailed version of the proposal is available at: http://ianduffy.ie/cloudstack-ldap.pdf

Project Blog

I have created a blogspot blog in order to document progress made with the project.

http://imduffy15.blogspot.ie/

Introduction

Within the community bonding period learning was focused on how to do things "The apache way". This required getting used to communication over the mailing list, becoming equated with our mentor, learning to use git, adding documentation to the project and finally creating a patch that was submitted to the review board.

During this stage I did a lot of research. I setup my cloudstack development environment and investigated the current LDAP implementation within Cloudstack.

Midterm review

During the code stage I began to investigate the current LDAP implementation. This includes:

  • The user authenticator (plugins/user-authentication/ldap) This allowed the cloudstack login to allow LDAP based users to login once they exist within the cloudstack database.
  • ldapConfig (api/src/org/apache/cloudstack/api/command/admin/ldap/LDAPConfigCmd.java) This exposed a functionality for adding an LDAP configuration. This is detailed over here: https://cloudstack.apache.org/docs/api/apidocs-4.1/root_admin/ldapConfig.html This did not allow multiple configurations.
  • ldapRemove (api/src/org/apache/cloudstack/api/command/admin/ldap/LDAPRemoveCmd.java) this allowed for removing the LDAP configuration
  • UI features. Global settings -> LDAP configuration allowed for the addition of a single LDAP server using the ldapConfig command and the removal of an LDAP server using the ldapRemove command.

After reviewing this code and implementation for some time I realised that it wasn't the most maintainable code. I realised I could existed if required but it would involve creating more unmaintainable code and it would be messy, which goes against my own principles of developing quality. This made me make the steep but justified decision to completely redo the LDAP implementation within Cloudstack. By doing this I did chance the scope of the project but it was justified for ease of expansion.

I began to research the most appropriate way of structuring this. I started of by redoing the implementation. This meant creating the following classes(Excluding DAOs):
LdapManager - Manages all LDAP connections
LdapConfiguration - Supplies all configuration from within the Cloudstack database or defaults where required.
LdapUserManager - Handles any interaction with LDAP user information.
LdapUtils - Supplies static helpers, e.g. escape search queries, get attributes from search queries.
LdapContextFactory - Manages the creation of contexts.
LdapAuthenticator - Supplies an authenticator to Cloudstack using the LdapManager.

From this I had a solid foundation for creating API commands to allow the user to interact with an LDAP server. I went on to create the following commands:

  • LdapAddConfiguration - This allows for adding multiple ldap configurations. Each configuration is just seen as a hostname and port.
  • LdapDeleteConfiguration - This allows for the deletion of an ldap configuration based on its hostname.
  • LdapListConfiguration - This lists all of the LDAP configurations that exist within the database.
  • LdapListAllUsers - This lists all the users within LDAP.

Along with this global configuration options were added to global configuration this includes:

  • ldap basedn: This allows the user to set the basedn for their ldap configuration
  • ldap bind password: This allows the user to set the password to use for binding to LDAP for creating the system context. If this is left blank along with bind principal then anonymous binding is used.
  • ldap bind principal: This allows the user to set the principle to use for binding with LDAP for creating the system context. If this is left blank along with the bind password then anonymous binding is used.
  • ldap email attribute: This sets out the attribute to use for getting the users email address. Within both OpenLDAP and ActiveDirectory this is mail. For this reason this is set to mail by default.
  • ldap realname attribute: This sets out the attribute to use for getting the users realname. Within both OpenLDAP and ActiveDiretory this is cn. For this reason this is set to cn by default.
  • ldap username attribute: This sets out the attribute to use for getting the users username. Within OpenLDAP this is uid and within ActiveDirectory this is samAccountName. In order to comply with posix standards this is set as uid by default.
  • ldap user object: This sets out the object type of user accounts within LDAP. Within OpenLDAP this is inetOrgPerson and within ActiveDirectory this is user. Again, in order to comply with posix standards this is set as inetOrgperson by default.
  • No labels