Introduction

Today, CloudStack can automatically import LDAP users based on the configuration to a domain or an account. However, any new users in LDAP aren't automatically reflected. The admin has to manually import them again.

This feature enables admin to map LDAP group/OU to a CloudStack domain and any changes are reflected in ACS as well.

Use Cases

1. Admin wants to sync a domain in CloudStack with LDAP group/OU

Functional Requirements

1. Cloud admin should be able to to map AD OU / group to a Domain in CloudStack.
2. While mapping a group to AD, the cloud admin should be able to specify the option to include nested groups and the profile to select for the group users (Domain Admin / normal user in case of domain mapping).
3. While mapping domain to AD, admin should be able to specify an user within AD OU/group as the domain admin.
4. Once a domain is mapped to an AD Group/OU, the cloud admin / domain admin will not have the option to manually import users to the domain.
5. If a domain has existing users(ldap/local), they will continue to work. Admin will also be able to add new local users to the domain.
6. The "Trust AD" component will automatically authenticates users in CloudStack when added to an AD group without manual setup.
7. when users are removed/disabled from a group in AD, the account should be blocked access in CloudStack as well. (The resources are still provisioned and running.)
8. If the users are removed/disabled in AD, they will be disabled in CloudStack only when the disabled/removed user tries to login.
9. CloudStack api key/secret key should also be disabled if the user is disabled in LDAP (disabled CloudStack users as per 8)

Design

Flowchart

DB Changes

ldap_trust_map

Config changes

New configuration ldap.nested.groups.enable which can be either true or false. true indicates that the nested groups can be queried while false means only direct users are queried.

API Changes

    A new api to link ldap OU/domain with a CloudStack domain

• linkDomainToLdap - Admin only Api
  • domainId - the domain which has to be linked
  • type - OU/GROUP
  • name - common name of group or OU
  • accounttype - account type to be used while auto importing the accounts
  • admin - domain admin username in LDAP - optional
• Response
  • return the domainId, name, type, accountType on success (will also return accountid if account import of the user admin is successful)
  • error message if its not successful
• Sample Api and response
  • link domain and make rajanik admin

cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik

{

  "LinkDomainToLdap": {

    "accountid": "13",

    "accounttype": 2,

    "domainid": 3,

    "name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",

    "type": "GROUP"

  }

• • link domain and make rajanik admin - rajanik already exists in domain

cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP" admin=rajanik

{

  "LinkDomainToLdap": {

    "accounttype": 2,

    "domainid": 3,

    "name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",

    "type": "GROUP"

  }

• • link domain

cloudmonkey > link domaintoldap accounttype=2 name="cn=dev-hyd,dc=ccp,dc=citrite,dc=net" domainid=8f89a84e-51a0-459f-a9ed-9079ce790235 type="GROUP"

{

  "LinkDomainToLdap": {

    "accounttype": 2,

    "domainid": 3,

    "name": "cn=dev-hyd,dc=ccp,dc=citrite,dc=net",

    "type": "GROUP"

  }

}

UI Changes

a pop to link ou/group to cloudstack

this should show list of domains in cloudstack and provide text fields for type, name, admin(optional) and on save call the connectDomainToLdap api

Testing

LDAP : Trust AD and Auto Import Test Plan

Open Issues

When a user is disabled in LDAP, authentication in CloudStack will fail immediately. But, he will disabled in CloudStack only when he tries to login.

References

https://technet.microsoft.com/en-us/library/cc977992.aspx

Bug Reference & Branch

CLOUDSTACK-8647