Introduction
Today, CloudStack can automatically import LDAP users based on the configuration to a domain or an account. However, any new users in LDAP aren't automatically reflected. The admin has to manually import them again.
This feature enables admin to map LDAP group/OU to a CloudStack domain and any changes are reflected in ACS as well.
Use Cases
- Admin wants to sync a domain in CloudStack with LDAP group/OU
Functional Requirements
- Cloud admin should be able to to map AD OU / group to a Domain in CloudStack.
- While mapping a group to AD, the cloud admin should be able to specify the option to include nested groups and the profile to select for the group users (Domain Admin / normal user in case of domain mapping).
- While mapping domain to AD, admin should be able to specify an user within AD OU/group as the domain admin.
- Once a domain is mapped to an AD Group/OU, the cloud admin / domain admin will not have the option to manually import users to the domain.
- If a domain has existing users(ldap/local), they will continue to work. Admin will also be able to add new local users to the domain.
- The "Trust AD" component will automatically authenticates users in CloudStack when added to an AD group without manual setup.
- when users are removed/disabled from a group in AD, the account should be blocked access in CloudStack as well. (The resources are still provisioned and running.)
- If the users are removed/disabled in AD, they will be disabled in CloudStack only when the disabled/removed user tries to login.
- CloudStack api key/secret key should also be disabled if the user is disabled in LDAP (disabled CloudStack users as per 8)
Design
Flowchart
![](/confluence/download/attachments/58851788/Trust%20LDAP%20-%20New%20Page.png?version=2&modificationDate=1434715502000&api=v2)
DB Changes
ldap_trust_map
id | 1 | 2 |
---|
type | GROUP | OU |
---|
name | CN=Dev-Hyd,DC=ccp,DC=example,DC=net | OU=SevenSeas,DC=ccp,DC=example,DC=net |
---|
domain_id | 2 | 3 |
---|
API Changes
A new api to link ldap OU/domain with a CloudStack domain
- linkDomainToLdap - Admin only Api
- domainId - the domain which has to be linked
- type - OU/GROUP
- name - common name of group or OU
- accounttype - account type to be used while auto importing the accounts
- admin - domain admin username in LDAP - optional
- Response
- return the domainId, name, type, accountType on success (will also return accountid if account import of the user admin is successful)
- error message if its not successful
- Sample Api and response
- link domain and make rajanik admin
cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik
{
"LinkDomainToLdap": {
"accountid": "13",
"accounttype": 2,
"domainid": 3,
"name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",
"type": "GROUP"
}
- link domain and make rajanik admin - rajanik already exists in domain
cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik
{
"LinkDomainToLdap": {
"accounttype": 2,
"domainid": 3,
"name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",
"type": "GROUP"
}
cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP"
{
"LinkDomainToLdap": {
"accounttype": 2,
"domainid": 3,
"name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",
"type": "GROUP"
}
}
UI Changes
a pop to link ou/group to cloudstack
this should show list of domains in cloudstack and provide text fields for type, name, admin(optional) and on save call the connectDomainToLdap api
Testing
LDAP : Trust AD and Auto Import Test Plan
Open Issues
When a user is disabled in LDAP, authentication in CloudStack will fail immediately. But, he will disabled in CloudStack only when he tries to login.
References
https://technet.microsoft.com/en-us/library/cc977992.aspx
Bug Reference & Branch
CLOUDSTACK-8647