You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

Introduction

Today, CloudStack can automatically import LDAP users based on the configuration to a domain or an account. However, any new users in LDAP aren't automatically reflected. The admin has to manually import them again.

This feature enables admin to map LDAP group/OU to a CloudStack domain and any changes are reflected in ACS as well.

Use Cases

  1. Admin wants to sync a domain in CloudStack with LDAP group/OU

Functional Requirements

  1. Cloud admin should be able to to map AD OU / group to a Domain in CloudStack.
  2. While mapping a group to AD, the cloud admin should be able to specify the option to include nested groups and the profile to select for the group users (Domain Admin / normal user in case of domain mapping).
  3. While mapping domain to AD, admin should be able to specify an user within AD OU/group as the domain admin.
  4. Once a domain is mapped to an AD Group/OU, the cloud admin / domain admin will not have the option to manually import users to the domain.
  5. If a domain has existing users(ldap/local), they will continue to work. Admin will also be able to add new local users to the domain.
  6. The "Trust AD" component will automatically authenticates users in CloudStack when added to an AD group without manual setup.
  7. when users are removed/disabled from a group in AD, the account should be blocked access in CloudStack as well. (The resources are still provisioned and running.)
  8. If the users are removed/disabled in AD, they will be disabled in CloudStack only when the disabled/removed user tries to login.
  9. CloudStack api key/secret key should also be disabled if the user is disabled in LDAP (disabled CloudStack users as per 8)

Design

Flowchart

DB Changes

ldap_configuration table

id1
hostnamelocalhost
port10389
bind_principalCN=Administrator,CN=Users,DC=ccp,DC=example,DC=net
bind_passwordPassw0rd
email_attributemail
firstname_attributegivenname
lastname_attributesn
group_objectgroup
group_user_uniquemembermember
truststore 
truststore_password 
user_objectuser
username_attributesAMAccountName
search_group_principle

CN=Users,CN=Builtin,DC=ccp,DC=citrite,DC=net

basedndc=ccp,dc=example,dc=net
read_timeout1000
request_page_size1000

ldap_trust_map

id12
typeGROUPOU
nameCN=Dev-Hyd,DC=ccp,DC=example,DC=net

OU=SevenSeas,DC=ccp,DC=example,DC=net

domain_id2

3

 

API Changes

  1. A new api to link ldap OU/domain with a CloudStack domain
    • linkDomainToLdap - Admin only Api
      • domainId - the domain which has to be linked
      • type - OU/GROUP
      • name - common name of group or OU
      • admin - domain admin username in LDAP - optional
    • Response
      • return the domainId on success
      • error message if its not successful
    • TODO: sample request and response

  2.     A new api to link ldap OU/domain with a CloudStack domain

            linkDomainToLdap - Admin only Api

                domainId - the domain which has to be linked

                type - OU/GROUP

                name - common name of group or OU

                accounttype - account type to be used while auto importing the accounts

                admin - domain admin username in LDAP - optional

            Response

                return the domainId, name, type, accountType on success (will also return accountid if account import of the user admin is successful)

                error message if its not successful

            Sample Api and response

     

                link domain and make rajanik admin

    cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik

    {

      "LinkDomainToLdap": {

        "accountid": "13",

        "accounttype": 2,

        "domainid": 3,

        "name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",

        "type": "GROUP"

      }

    }

                link domain and make rajanik admin - rajanik already exists in domain

    cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik

    {

      "LinkDomainToLdap": {

        "accounttype": 2,

        "domainid": 3,

        "name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",

        "type": "GROUP"

      }

    }

                link domain

    cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP"

    {

      "LinkDomainToLdap": {

        "accounttype": 2,

        "domainid": 3,

        "name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",

        "type": "GROUP"

      }

    }

     

     

UI Changes

  1. a pop to link ou/group to cloudstack
    1. this should show list of domains in cloudstack and provide text fields for type, name, admin(optional) and on save call the connectDomainToLdap api

Testing

LDAP : Trust AD and Auto Import Test Plan

Open Issues

  1. When a user is disabled in LDAP, authentication in CloudStack will fail immediately. But, he will disabled in CloudStack only when he tries to login.

References

https://technet.microsoft.com/en-us/library/cc977992.aspx

Bug Reference & Branch

CLOUDSTACK-8647

 

  • No labels