This is an automated email from the ASF dual-hosted git repository.
andrijapanic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/master by this push:
new f7a3644 descriptions and examples of auto import and auto sync
enabling (#69)
f7a3644 is described below
commit f7a36449ae58d7e385947994d89a2a0082c8609d
Author: dahn <daan.hoogl...@shapeblue.com>
AuthorDate: Fri May 22 13:21:43 2020 +0200
descriptions and examples of auto import and auto sync enabling (#69)
* three ways
* some of the review comments
* descriptions adn examples of auto import and auto sync enabling
* API features
* Update source/adminguide/accounts.rst
grammarschool
Co-Authored-By: Paul Angus <paul.an...@shapeblue.com>
* Update source/adminguide/accounts.rst
Co-Authored-By: Paul Angus <paul.an...@shapeblue.com>
* Update source/adminguide/accounts.rst
grammarschool
Co-Authored-By: Paul Angus <paul.an...@shapeblue.com>
* Update source/adminguide/accounts.rst
Co-Authored-By: Paul Angus <paul.an...@shapeblue.com>
* Update source/adminguide/accounts.rst
Co-Authored-By: Paul Angus <paul.an...@shapeblue.com>
Co-authored-by: Paul Angus <paul.an...@shapeblue.com>
---
source/adminguide/accounts.rst | 78 ++++++++++++++++++++++++++++++++++--------
1 file changed, 64 insertions(+), 14 deletions(-)
diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst
index 0ce8cd9..2a3f2c7 100644
--- a/source/adminguide/accounts.rst
+++ b/source/adminguide/accounts.rst
@@ -283,7 +283,12 @@ defined. In this domain autosync per account can be
configured,
keeping the users in the domain up to date with their group membership
in LDAP.
-.. Note:: A caveat with this is that ApacheDS does not yet support the virtual
'memberOf' attribute needed to check if a user moved to another account.
Microsoft AD and OpenLDAP as well as OpenDJ do support this. It is a planned
feature for ApacheDS that can be tracked in
https://issues.apache.org/jira/browse/DIRSERVER-1844.
+.. Note:: A caveat with this is that ApacheDS does not yet support the
+ virtual 'memberOf' attribute needed to check if a user moved
+ to another account. Microsoft AD and OpenLDAP as well as
+ OpenDJ do support this. It is a planned feature for ApacheDS
+ that can be tracked in
+ https://issues.apache.org/jira/browse/DIRSERVER-1844.
There are now three ways to link LDAP users to CloudStack users. These
three ways where developed as extensions on top of each other.
@@ -307,10 +312,10 @@ the user are used.
#. The authentication result from LAP is honoured.
-#. **autoimport**. A domain is configured to import any user if it does
- not yet exist in that domain. For these users a account by the same
- name as the user is created on the fly and the user is created in
- that account.
+#. **autoimport**. A domain is configured to import any user if it
+ does not yet exist in that domain. For these users, an account in the
+ same name as the user is automatically created and the user is created
+ in that account.
#. If the domain is configured to be used with LDAP,
@@ -359,20 +364,65 @@ the user are used.
#. If no CloudStack user exists it is created in the
appropriate account.
-
#. If a CloudStack user exists but is not in the appropriate
account its credentials will be moved.
-
To set up LDAP authentication in CloudStack, call the CloudStack API
command ``addLdapConfiguration`` and provide Hostname or IP address
and listening port of the LDAP server. Optionally a domain id can be
given for the domain for which this LDAP connection is valid. You could
-configure multiple servers as well. These are expected to be
+configure multiple servers as well, for the same domain. These are expected to
be
replicas. If one fails, the next one is used.
-The following global configurations should also be configured (the
-default values are for openldap)
+.. code:: bash
+
+ cloudmonkey add ldapconfiguration hostname=localhost\
+ port=389\
+
domainid=12345678-90ab-cdef-fedc-ba0987654321
+
+This is all that is required to enable the manual importing of LDAP users, the
+LisLdapUsers API can be used to query for users to import.
+
+For the auto import method, a CloudStack Domain needs to be linked to
+LDAP. For instance
+
+.. code:: bash
+
+ cloudmonkey link domaintoldap
domainid=12345678-90ab-cdef-fedc-ba0987654321\
+ accounttype=2\
+
ldapdomain="ou=people,dc=cloudstack,dc=apache,dc=org"\
+ type=OU
+
+When you want to use auto sync, no domain is linked to ldap but one or
+more accounts. Within a CloudStack domain one needs to link accounts
+to LDAP groups. The linkage of the domain is implicit and nit needed
+to be applied through the API call described above.
+
+.. code:: bash
+
+ #!/bin/bash
+ [ -z "$LDAP1PASSWORD" -o -z "$LDAP2PASSWORD" ] && exit 1
+ ROOTDOMAIN=`cloudmonkey -d json list domains name=ROOT filter=id | jq
.domain[0].id`
+
+ # mapping domain and account(s) from ldap server 1
+ MAPPEDDOMAIN1=`cloudmonkey -d json create domain name=mappedDomain1
parentdomainid=$ROOTDOMAIN | jq .domain.id`
+ cloudmonkey -d json add ldapconfiguration hostname=10.1.2.5 port=389
domainid=$MAPPEDDOMAIN1
+ cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name="ldap.basedn" value="dc=cloudstack,dc=apache,dc=org"
+ cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.bind.principal' value='cn=admin,dc=cloudstack,dc=apache,dc=org'
+ cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.bind.password' value=$LDAP1PASSWORD
+ cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.search.group.principle'
value='cn=AcsAccessGroup,dc=cloudstack,dc=apache,dc=org'
+ cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.user.memberof.attribute' value='memberOf'
+
+ cloudmonkey -d json ldap createaccount account='seniors' accounttype=2
domainid=$MAPPEDDOMAIN1 username=guru
+ cloudmonkey -d json link accounttoldap account='seniors' accounttype=2
domainid=$MAPPEDDOMAIN1
ldapdomain='cn=AcsSeniorAdmins,ou=AcsGroups,dc=cloudstack,dc=apache,dc=org'
type=GROUP
+ cloudmonkey -d json ldap createaccount account='juniors' accounttype=0
domainid=$MAPPEDDOMAIN1 username=bystander
+ cloudmonkey -d json link accounttoldap account='juniors' accounttype=0
domainid=$MAPPEDDOMAIN1
ldapdomain='cn=AcsJuniorAdmins,ou=AcsGroups,dc=cloudstack,dc=apache,dc=org'
type=GROUP
+
+
+
+In addition to those shown in the example script above, the following
+configuration items can be configured (the default values are for
+openldap)
- ``ldap.basedn``: Sets the basedn for LDAP. Ex:
**OU=APAC,DC=company,DC=com**
@@ -430,14 +480,14 @@ which opens a dialog and the selected users can be
imported.
:align: center
-You could also use api commands: ``listLdapUsers``, ``ldapCreateAccount`` and
-``importLdapUsers``.
+You could also use api commands:
+``listLdapUsers``, to list users in LDAP that could or would be imported in
CloudStack
+``ldapCreateAccount``, to manually create a user in a specific account
+``importLdapUsers``, to batch import users from LDAP
Once LDAP is enabled, the users will not be allowed to changed password
directly in CloudStack.
-
-
.. |button to dedicate a zone, pod,cluster, or host| image::
/_static/images/dedicate-resource-button.png
Using a SAML 2.0 Identity Provider for User Authentication
