Apache CloudStack Integration with LDAP

This approach is to introduce LDAP as the User Managment system for CloudStack.
When seeing into the implementations of LDAP within an organization there are basically 2 approaches in which it is used

  1. A set of applications are authorized to create users in the org LDAP. Here cloudstack is also given the authority to create users in LDAP.
  2. No applications are given write access to create users in LDAP, cloudstack in not given authority to create users in given LDAP but can authenticate against it..

To get a generic implementation for handling both the cases in Cloudstack

In case Cloudstack is given access to create users into cloudstack
When a user is created in Cloudstack, there are 2 cases in this context
If the user already exists in the LDAP provided, then the user roles are defined in cloudstack and it acts as a registration process for the user into cloudstack.
Secondly, if the user is not present in LDAP then ldap plugin takes the user create info and converts it into the required format based on LDAP schema. It creates a user into the LDAP user base along with creating the required roles in cloudstack.

In case Cloudstack is not given access to create users in LDAP
In this case cloudstack does only user registration i.e. when a user is created in CloudStack the user existence is verified from LDAP and if the user exists then the user is registered to cloudstack.
If the user is not registered then an email is sent to the configured LDAP authority for user creation.

  • No labels