Skip to content

Commit f7a3644

Browse files
DaanHooglandPaul Angus
andauthored
descriptions and examples of auto import and auto sync enabling (#69)
* three ways * some of the review comments * descriptions adn examples of auto import and auto sync enabling * API features * Update source/adminguide/accounts.rst grammarschool Co-Authored-By: Paul Angus <paul.angus@shapeblue.com> * Update source/adminguide/accounts.rst Co-Authored-By: Paul Angus <paul.angus@shapeblue.com> * Update source/adminguide/accounts.rst grammarschool Co-Authored-By: Paul Angus <paul.angus@shapeblue.com> * Update source/adminguide/accounts.rst Co-Authored-By: Paul Angus <paul.angus@shapeblue.com> * Update source/adminguide/accounts.rst Co-Authored-By: Paul Angus <paul.angus@shapeblue.com> Co-authored-by: Paul Angus <paul.angus@shapeblue.com>
1 parent 70277be commit f7a3644

File tree

1 file changed

+64
-14
lines changed

1 file changed

+64
-14
lines changed

source/adminguide/accounts.rst

Lines changed: 64 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -283,7 +283,12 @@ defined. In this domain autosync per account can be configured,
283283
keeping the users in the domain up to date with their group membership
284284
in LDAP.
285285

286-
.. Note:: A caveat with this is that ApacheDS does not yet support the virtual 'memberOf' attribute needed to check if a user moved to another account. Microsoft AD and OpenLDAP as well as OpenDJ do support this. It is a planned feature for ApacheDS that can be tracked in https://issues.apache.org/jira/browse/DIRSERVER-1844.
286+
.. Note:: A caveat with this is that ApacheDS does not yet support the
287+
virtual 'memberOf' attribute needed to check if a user moved
288+
to another account. Microsoft AD and OpenLDAP as well as
289+
OpenDJ do support this. It is a planned feature for ApacheDS
290+
that can be tracked in
291+
https://issues.apache.org/jira/browse/DIRSERVER-1844.
287292

288293
There are now three ways to link LDAP users to CloudStack users. These
289294
three ways where developed as extensions on top of each other.
@@ -307,10 +312,10 @@ the user are used.
307312

308313
#. The authentication result from LAP is honoured.
309314

310-
#. **autoimport**. A domain is configured to import any user if it does
311-
not yet exist in that domain. For these users a account by the same
312-
name as the user is created on the fly and the user is created in
313-
that account.
315+
#. **autoimport**. A domain is configured to import any user if it
316+
does not yet exist in that domain. For these users, an account in the
317+
same name as the user is automatically created and the user is created
318+
in that account.
314319

315320
#. If the domain is configured to be used with LDAP,
316321

@@ -359,20 +364,65 @@ the user are used.
359364
#. If no CloudStack user exists it is created in the
360365
appropriate account.
361366

362-
363367
#. If a CloudStack user exists but is not in the appropriate
364368
account its credentials will be moved.
365369

366-
367370
To set up LDAP authentication in CloudStack, call the CloudStack API
368371
command ``addLdapConfiguration`` and provide Hostname or IP address
369372
and listening port of the LDAP server. Optionally a domain id can be
370373
given for the domain for which this LDAP connection is valid. You could
371-
configure multiple servers as well. These are expected to be
374+
configure multiple servers as well, for the same domain. These are expected to be
372375
replicas. If one fails, the next one is used.
373376

374-
The following global configurations should also be configured (the
375-
default values are for openldap)
377+
.. code:: bash
378+
379+
cloudmonkey add ldapconfiguration hostname=localhost\
380+
port=389\
381+
domainid=12345678-90ab-cdef-fedc-ba0987654321
382+
383+
This is all that is required to enable the manual importing of LDAP users, the
384+
LisLdapUsers API can be used to query for users to import.
385+
386+
For the auto import method, a CloudStack Domain needs to be linked to
387+
LDAP. For instance
388+
389+
.. code:: bash
390+
391+
cloudmonkey link domaintoldap domainid=12345678-90ab-cdef-fedc-ba0987654321\
392+
accounttype=2\
393+
ldapdomain="ou=people,dc=cloudstack,dc=apache,dc=org"\
394+
type=OU
395+
396+
When you want to use auto sync, no domain is linked to ldap but one or
397+
more accounts. Within a CloudStack domain one needs to link accounts
398+
to LDAP groups. The linkage of the domain is implicit and nit needed
399+
to be applied through the API call described above.
400+
401+
.. code:: bash
402+
403+
#!/bin/bash
404+
[ -z "$LDAP1PASSWORD" -o -z "$LDAP2PASSWORD" ] && exit 1
405+
ROOTDOMAIN=`cloudmonkey -d json list domains name=ROOT filter=id | jq .domain[0].id`
406+
407+
# mapping domain and account(s) from ldap server 1
408+
MAPPEDDOMAIN1=`cloudmonkey -d json create domain name=mappedDomain1 parentdomainid=$ROOTDOMAIN | jq .domain.id`
409+
cloudmonkey -d json add ldapconfiguration hostname=10.1.2.5 port=389 domainid=$MAPPEDDOMAIN1
410+
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1 name="ldap.basedn" value="dc=cloudstack,dc=apache,dc=org"
411+
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1 name='ldap.bind.principal' value='cn=admin,dc=cloudstack,dc=apache,dc=org'
412+
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1 name='ldap.bind.password' value=$LDAP1PASSWORD
413+
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1 name='ldap.search.group.principle' value='cn=AcsAccessGroup,dc=cloudstack,dc=apache,dc=org'
414+
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1 name='ldap.user.memberof.attribute' value='memberOf'
415+
416+
cloudmonkey -d json ldap createaccount account='seniors' accounttype=2 domainid=$MAPPEDDOMAIN1 username=guru
417+
cloudmonkey -d json link accounttoldap account='seniors' accounttype=2 domainid=$MAPPEDDOMAIN1 ldapdomain='cn=AcsSeniorAdmins,ou=AcsGroups,dc=cloudstack,dc=apache,dc=org' type=GROUP
418+
cloudmonkey -d json ldap createaccount account='juniors' accounttype=0 domainid=$MAPPEDDOMAIN1 username=bystander
419+
cloudmonkey -d json link accounttoldap account='juniors' accounttype=0 domainid=$MAPPEDDOMAIN1 ldapdomain='cn=AcsJuniorAdmins,ou=AcsGroups,dc=cloudstack,dc=apache,dc=org' type=GROUP
420+
421+
422+
423+
In addition to those shown in the example script above, the following
424+
configuration items can be configured (the default values are for
425+
openldap)
376426

377427
- ``ldap.basedn``: Sets the basedn for LDAP. Ex: **OU=APAC,DC=company,DC=com**
378428

@@ -430,14 +480,14 @@ which opens a dialog and the selected users can be imported.
430480
:align: center
431481

432482

433-
You could also use api commands: ``listLdapUsers``, ``ldapCreateAccount`` and
434-
``importLdapUsers``.
483+
You could also use api commands:
484+
``listLdapUsers``, to list users in LDAP that could or would be imported in CloudStack
485+
``ldapCreateAccount``, to manually create a user in a specific account
486+
``importLdapUsers``, to batch import users from LDAP
435487

436488
Once LDAP is enabled, the users will not be allowed to changed password
437489
directly in CloudStack.
438490

439-
440-
441491
.. |button to dedicate a zone, pod,cluster, or host| image:: /_static/images/dedicate-resource-button.png
442492

443493
Using a SAML 2.0 Identity Provider for User Authentication

0 commit comments

Comments
 (0)