You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 12
Next »
Introduction
Today, CloudStack can automatically import LDAP users based on the configuration to a domain or an account. However, any new users in LDAP aren't automatically reflected. The admin has to manually import them again.
This feature enables admin to map LDAP group/OU to a CloudStack domain and any changes are reflected in ACS as well.
Use Cases
- Admin wants to sync a domain in CloudStack with LDAP group/OU
Functional Requirements
- Cloud admin should be able to to map AD OU / group to a Domain in CloudStack.
- While mapping a group to AD, the cloud admin should be able to specify the option to include nested groups and the profile to select for the group users (Domain Admin / normal user in case of domain mapping).
- Once a domain is mapped to an AD Group/OU the cloud admin / domain admin will not have the option to manually import users to the domain.
- The "Trust AD" component will automatically authenticates users in CloudStack when added to an AD group without manual setup.
- when users are removed/disabled from a group in AD, the account should be blocked access in CloudStack as well. (The resources are still provisioned and running.)
- admin should be able to enable to disable nested groups listing (new configuration)
- api key/secret key should be disabled for imported LDAP users in CloudStack
Design
Flowchart
![](/confluence/download/attachments/58851788/Trust%20LDAP%20-%20New%20Page.png?version=2&modificationDate=1434715502000&api=v2)
DB Changes
ldap_configuration table
id | 1 |
---|
hostname | localhost |
---|
port | 10389 |
---|
bind_principal | CN=Administrator,CN=Users,DC=ccp,DC=example,DC=net |
---|
bind_password | Passw0rd |
---|
email_attribute | mail |
---|
firstname_attribute | givenname |
---|
lastname_attribute | sn |
---|
group_object | group |
---|
group_user_uniquemember | member |
---|
truststore | |
---|
truststore_password | |
---|
user_object | user |
---|
username_attribute | sAMAccountName |
---|
search_group_principle | CN=Users,CN=Builtin,DC=ccp,DC=citrite,DC=net |
---|
basedn | dc=ccp,dc=example,dc=net |
---|
read_timeout | 1000 |
---|
request_page_size | 1000 |
---|
ldap_trust_map
id | 1 | 2 |
---|
type | GROUP | OU |
---|
name | CN=Dev-Hyd,DC=ccp,DC=example,DC=net | OU=SevenSeas,DC=ccp,DC=example,DC=net |
---|
domain_id | 2 | 3 |
---|
API Changes
- A new api to link ldap OU/domain with a CloudStack domain
- connectDomainToLdap - Admin only Api
- domainId - the domain which has to be linked
- type - OU/GROUP
- name - common name of group or OU
- admin - domain admin username in LDAP - optional
- Response
- return the domainId on success
- error message if its not successful
- TODO: sample request and response
UI Changes
Testing
Unit Tests
Automation Tests
Manual Tests
Open Issues
References
Bug Reference & Branch