Ian, If you are implementing this logic, it would be awesome.
Keep in mind besides LDAP, these is also somewhat LDAP compatible Miscrosoft AD, please test against it as well. Whenever you have a code, you need to test, I can gladly help. Regards ilya > -----Original Message----- > From: Ian Duffy [mailto:i...@ianduffy.ie] > Sent: Friday, May 03, 2013 12:41 PM > To: dev@cloudstack.apache.org > Subject: Re: [GSOC] LDAP User provisioning: Design document feedback > > Hi, > > Sorry just noticed that the attachment appeared to have got stripped, here is > the contents of the PDF. Alternatively I have uploaded it here: > http://ianduffy.ie/Cloudstack-LDAP.pdf > > *Apache Cloudstack Google Summer of Code Project: LDAP user > provisioning* > > > Need to automate the way the LDAP users are provisioned into cloud stack. > This will mean better integration with a LDAP server, ability to import users > and a way to define how the LDAP user maps to the cloudstack users. > > > Abstract > > > > The aim of this project is to provide an easier mechanism to provision users > from LDAP into cloudstack. Currently cloudstack provides authentication > LDAP authentication. In this authentication users must be first setup in > cloudstack. Once the user is setup in cloudstack they can authenticate using > their ldap username and password. > > > > This feature aims to extend the current functionality to make user setup align > with LDAP group. > > > Deliverables > > ñ Service that retrieves a list of ldap users from the configured group > > ñ Extension of cloudstack UI “Add User” screen to offer user list from LDAP > > ñ Add service for saving new user with details from LDAP > > ñ BDD unit and acceptance automated testing > > ñ Document change details > > > Quantifiable results > > > Given A need to add new user to cloudstack and LDAP is setup > > When > > You open the “Add User” screen > > Then > > A table of users appears for the current list of users (not already created on > cloudstack) from the LDAP group displaying their a checkbox, username, > name and email address. The timezone dropdown will still be available > beside each user. > Given A need to add new user to cloudstack and LDAP is not setup > > When > > You open the “Add User” screen > > Then > > The current add user screen and functionality is provided > Given A need to add new user to cloudstack and LDAP is setup > > When > > You open the “Add User” screen and mandatory information is missing > > Then > > These fields will be editable to enable you populate the name or email > address > > > Given A need to add new user to cloudstack, LDAP is setup but user is in > the > ldap query group > > When > > You open the “Add User” screen > > Then > > There is a list of LDAP users displayed but your current user is present in > the > list > Given A need to add new user to cloudstack, LDAP is setup but user is > not > in the query group > > When > > You open the “Add User” screen > > Then > > There is a list of LDAP users displayed but your current user is not in the > list > Given You need to add group of new users to cloudstack > > When > > You open the “Add User” screen, select the users and hit save > > Then > > The list of new users are saved to the database > > > Given You need to add group of new users to cloudstack > > When > > You open the “Add User” screen, select the users and hit save > > Then > > The list of new users are saved to the database > > > Given You have created a new LDAP user on cloudstack > > When > > The user authenticates against cloudstack with the right credentials > > Then > > They are authorised in cloudstack > Given A user wants to edit an LDAP user > > When > > They open the Edit User screen > > Then > > The password fields are disabled and cannot be changed > The design document *Ldap User List Service* > > > > *name*: ldapUserList > > *responseObject*: LDAPUserResponse {username, email, name} > > *parameter*: listType:enum {NEW, EXISTING, ALL} (Default to ALL if no > option provided) > > > > Create a new API service call for retreiving the list of users from LDAP. > This will call a new ConfigurationService which will retrieve the list of > users using the configured search base and the query filter. The list may > be filtered in the ConfigurationService based on listType parameter. > > > > *Ldap Available Service* > > > > *name*: ldapAvailable > > *responseObject*: LDAPAvailableResponse {available:boolean} > > > > Create a new API service call verifying LDAP is setup correctly verifying the > following configuration elements are all set: > > ñ ldap.hostname > > ñ ldap.port > > ñ ldap.usessl > > ñ ldap.queryfilter > > ñ ldap.searchbase > > ñ ldap.dn > > ñ ldap.password > > > > The verification that all of these are set will return an available boolean > true. > If required this could perform a status check against LDAP first and provide > warning if it fails. > > > *Ldap Save Users Service* > > > > *name*: ldapSaveUsers > > *responseObject*: LDAPSaveUsersResponse {list<UserResponse>} > > *parameter*: list of users > > > > Saves the list of objects instead. Following the functionality in > CreateUserCmd it will > > ñ Create the user via the account service > > ñ Handle the response > > > > It will be decided whether a transation should remain over whole save or > only over individual users. A list of UserResponse will be returned. > > > > > > > > *Extension of cloudstack UI “Add User” screen * > > > > Extend account.js to enable it add a user list with editable fields where > required. The new “Add User” screen for LDAP setup. > > ñ This will make an ajax call to the ldapAvailable, ldapUserList and > ldapSaveUsers services > > ñ Validation will be maintained on username, email, firstname and lastname > > > > *Extension of cloudstack UI “Edit User” screen * > > > > Extend account.js to disable the password fields on the edit user screen if > LDAP available. > > ñ This will make an ajax call to the ldapAvailable and updateUser services > > ñ Validation will be maintained on username, email, firstname and lastname. > Additional server validation will ensure password has not changed. > > > > > Approach > > > > To get started a development cloudstack environment with DevCloud used > to verify changes. Then once the schedule agreed with the mentor the > deliverables will be broken into smaller User stories with expected > delivery dates set. The development cycle will focus on BDD enforcing all > unit and acceptance tests written first. > > > > A build pipe line for continious delivery environment around cloudstack here > will be created, the following stages will be adopted > > > > *Stage* > > *Action* > > Commit > > Runs unit tests > > Sonar > > Runs code quality metrics > > Acceptance > > Deploys the dev cloud and runs all acceptance tests > > Deployment > > Deploy a new management server using Chef > > > > > About Me > > > > I am a Computer Science Student at Dublin City University in Ireland. I have > interests in virtualization, automation, information systems, networking and > web development. > > > > I was involved with a project in a K-12(educational) environment of moving > their server systems over to a virtualized environment on ESXi. I have > good knowledge of programming in Java, PHP and Scripting langages. During > the configuration of an automation system for OS deployment I experienced > some exposure to scripting in powershell, batch, vbs and bash and > configuration of PXE images based of WinPE and Debian. > > Additionally I am also a mentor in an opensource teaching movement called > CoderDojo, we teach kids from the age of 8 everything from web page, > HTML 5 game and raspberry pi development. > > > > I’m excited at the opportunity and learning experience that cloudstack are > offering with this project. > > > References > > > > ñ https://cwiki.apache.org/CLOUDSTACK/development-101.html > > ñ > http://cloudstack.apache.org/docs/en- > US/Apache_CloudStack/4.0.2/html/Admin_Guide/ > > ñ > http://cloudstack.apache.org/docs/en- > US/Apache_CloudStack/4.0.2/html/API_Developers_Guide/index.html > > ñ https://issues.apache.org/jira/browse/CLOUDSTACK-2014 > > ñ > http://www.slideshare.net/sebastiengoasguen/apache-cloudstack-google- > summer-of-code > > ñ > http://kirkjantzer.blogspot.co.uk/2013/03/ldap-authentication-in- > cloudstack-v401.html > > ñ http://www.ldapguru.info/ldap/ldap-search-best-practices.html > > ñ http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi- > ldap.html > > > > > > > On 3 May 2013 17:35, Ian Duffy <i...@ianduffy.ie> wrote: > > > Hi, > > > > I was wondering If I could get some feedback on the attached file > > labeled "Cloudstack-LDAP.pdf". It outlines a design document for the > > project labeled "LDAP user provisioning" > > > > From my current understanding of the single sign on mechanism > > implemented in cloudstack a LDAP user must be created manually within > > the cloudstack database. Would it be preferred to: > > > > A) Create a service that polls LDAP every so often to check for new > > user creation. > > or > > B) Extend the login page to check LDAP after failing to find a user > > within the cloudstack database. On success of finding a user in LDAP a > > profile would automatically be created within the cloudstack database. > > > > Kind regards, > > Ian > >
