tldr: should ldap passwords be cached within cloudstack? Hi Guys,
I wanted to get your opinion on something. I seen a JIRA ticket for adding support for multiple LDAP because if the single LDAP server fails you lose access to your Cloudstack console. I plan to add support for multiple ldap servers. But I've been wondering why not cache passwords on cloudstack too? So from what I understand when a user logs in their password is passed down through all the user authenticators(I'm open to correction on this) until it finds one that passes otherwise login fails. It wouldn't be too difficult to utilize this implementation to support caching of ldap passwords within cloudstack. I'll explain by example. We have the following user account: Account name: user1 Password set in cloudstack: cspass Password set in ldap: ldappass When user1 attempts to login with password cspass it hits the cloudstack database and returns true and is successfully logged in. When user 1 attempts to login with password ldappass it hits the cloudstack database, fails tries against ldap successes and successfully logs in. My suggestion is to take their password on a successful login and place it into the cloudstack database so in the event all LDAP servers went down the user would be able to authenticate against the cloudstack database. Of course this has security issues.... one that comes to mind, if a users ldap account becomes compromised and they need to change their ldap password their old password will still work for cloudstack logins until they login to cloudstack using the new one.
