You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/adminguide/accounts.rst
+86-7Lines changed: 86 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -279,17 +279,96 @@ or ApacheDS to authenticate CloudStack end-users. CloudStack will search
279
279
the external LDAP directory tree starting at a specified base directory
280
280
and gets user info such as first name, last name, email and username.
281
281
282
-
Starting with CloudStack 4.11, an ldap connection per domain can be
283
-
defined.
282
+
Starting with CloudStack 4.11, an LDAP connection per domain can be
283
+
defined. In this domain autosync per account can be configured,
284
+
keeping the users in the domain up to date with their group membership
285
+
in LDAP.
286
+
287
+
.. Note:: A caveat with this is that ApacheDS does not yet support the virtual 'memberOf' attribute needed to check if a user moved to another account. Microsoft AD and OpenLDAP as well as OpenDJ do support this. It is a planned feature for ApacheDS that can be tracked in https://issues.apache.org/jira/browse/DIRSERVER-1844.
288
+
289
+
There are now three ways to link LDAP users to CloudStack users. These
290
+
three ways where developed as extensions on top of each other.
291
+
292
+
To authenticate, in all three cases username and password entered by
293
+
the user are used.
294
+
295
+
#. **manual import**. A user is explicitely mapped to a domain/account
296
+
and created as a user in that account.
297
+
298
+
#. CloudStack does a search for a user with the given username.
299
+
300
+
#. If it exists, it checks if the user is enabled.
301
+
302
+
#. If the user is enabled, CloudStack searches for it in LDAP
303
+
by the configured ``ldap.username.attribute``.
304
+
305
+
#. If the LDAP user is found, CloudStack does a bind request
306
+
with the returned principal for that LDAP user and the
307
+
entered password.
308
+
309
+
#. The authentication result from LAP is honoured.
310
+
311
+
#. **autoimport**. A domain is configured to import any user if it does
312
+
not yet exist in that domain. For these users a account by the same
313
+
name as the user is created on the fly and the user is created in
314
+
that account.
315
+
316
+
#. If the domain is configured to be used with LDAP,
317
+
318
+
#. CloudStack searches for it in LDAP by the configured
319
+
``ldap.username.attribute``.
320
+
321
+
#. If an LDAP user is found is found, CloudStack does a bind
322
+
request with the returned principal for that LDAP user and
323
+
the entered password.
324
+
325
+
#. If LDAP authentication checks out, CloudStack checks if the
326
+
authenticated user exists in the domain it is trying to log
327
+
on to.
328
+
329
+
#. If the user exists in CloudStack, it is ensured to be enabled
330
+
331
+
#. If it doesn't exist it is created in a new account with
332
+
the username as names for both account and user.
333
+
334
+
#. In case authentication fails the user will be disabled in
335
+
cloudstack after the configured
336
+
``incorrect.login.attempts.allowed`` number of attempts.
337
+
338
+
#. **autosync**. A domain is configured to use a LDAP server and in this
339
+
domain a number of accounts are 'mapped' against LDAP groups. Any
340
+
user that is in one of these configured accounts will be checked against the
341
+
current state of LDAP and if they exist they will be asserted to be
342
+
in the right account according to their LDAP group. If they do not
343
+
exist in LDAP they will be disabled in CloudStack.
344
+
345
+
#. If the domain is configured to be used by LDAP,
346
+
347
+
#. CloudStack searches for it in LDAP by the configured
348
+
``ldap.username.attribute``.
349
+
350
+
#. If an LDAP user is found, it is checked for
351
+
memberships of mapped account, i.e. accounts for which LDAP
352
+
groups are configured.
353
+
354
+
#. If the LDAP user has 0, 2 or more memberships the account
355
+
is disabled and authentication fails.
356
+
357
+
#. CloudStack then does a bind request with the returned
358
+
principal for that LDAP user and the entered password.
359
+
360
+
#. If no CloudStack user exists it is created in the
361
+
appropriate account.
362
+
363
+
364
+
#. If a CloudStack user exists but is not in the appropriate
365
+
account its credentials will be moved.
284
366
285
-
To authenticate, username and password entered by the user are used.
286
-
Cloudstack does a search for a user with the given username. If it
287
-
exists, it does a bind request with DN and password.
288
367
289
368
To set up LDAP authentication in CloudStack, call the CloudStack API
290
369
command ``addLdapConfiguration`` and provide Hostname or IP address
291
370
and listening port of the LDAP server. Optionally a domain id can be
292
-
given for the domain for which this LDP connection is valid. You could
371
+
given for the domain for which this LDAP connection is valid. You could
293
372
configure multiple servers as well. These are expected to be
294
373
replicas. If one fails, the next one is used.
295
374
@@ -356,7 +435,7 @@ You could also use api commands: ``listLdapUsers``, ``ldapCreateAccount`` and
356
435
``importLdapUsers``.
357
436
358
437
Once LDAP is enabled, the users will not be allowed to changed password
0 commit comments