Hi,
Sorry just noticed that the attachment appeared to have got stripped, here
is the contents of the PDF. Alternatively I have uploaded it here:
http://ianduffy.ie/Cloudstack-LDAP.pdf
*Apache Cloudstack Google Summer of Code Project: LDAP user provisioning*
Need to automate the way the LDAP users are provisioned into cloud stack.
This will mean better integration with a LDAP server, ability to import
users and a way to define how the LDAP user maps to the cloudstack users.
Abstract
The aim of this project is to provide an easier mechanism to provision
users from LDAP into cloudstack. Currently cloudstack provides
authentication LDAP authentication. In this authentication users must be
first setup in cloudstack. Once the user is setup in cloudstack they can
authenticate using their ldap username and password.
This feature aims to extend the current functionality to make user setup
align with LDAP group.
Deliverables
ñ Service that retrieves a list of ldap users from the configured group
ñ Extension of cloudstack UI “Add User” screen to offer user list from
LDAP
ñ Add service for saving new user with details from LDAP
ñ BDD unit and acceptance automated testing
ñ Document change details
Quantifiable results
Given A need to add new user to cloudstack and LDAP is setup
When
You open the “Add User” screen
Then
A table of users appears for the current list of users (not already created
on cloudstack) from the LDAP group displaying their a checkbox, username,
name and email address. The timezone dropdown will still be available
beside each user.
Given A need to add new user to cloudstack and LDAP is not setup
When
You open the “Add User” screen
Then
The current add user screen and functionality is provided
Given A need to add new user to cloudstack and LDAP is setup
When
You open the “Add User” screen and mandatory information is missing
Then
These fields will be editable to enable you populate the name or email
address
Given A need to add new user to cloudstack, LDAP is setup but user is in
the ldap query group
When
You open the “Add User” screen
Then
There is a list of LDAP users displayed but your current user is present in
the list
Given A need to add new user to cloudstack, LDAP is setup but user is
not in the query group
When
You open the “Add User” screen
Then
There is a list of LDAP users displayed but your current user is not in the
list
Given You need to add group of new users to cloudstack
When
You open the “Add User” screen, select the users and hit save
Then
The list of new users are saved to the database
Given You need to add group of new users to cloudstack
When
You open the “Add User” screen, select the users and hit save
Then
The list of new users are saved to the database
Given You have created a new LDAP user on cloudstack
When
The user authenticates against cloudstack with the right credentials
Then
They are authorised in cloudstack
Given A user wants to edit an LDAP user
When
They open the Edit User screen
Then
The password fields are disabled and cannot be changed
The design document *Ldap User List Service*
*name*: ldapUserList
*responseObject*: LDAPUserResponse {username, email, name}
*parameter*: listType:enum {NEW, EXISTING, ALL} (Default to ALL if no
option provided)
Create a new API service call for retreiving the list of users from LDAP.
This will call a new ConfigurationService which will retrieve the list of
users using the configured search base and the query filter. The list may
be filtered in the ConfigurationService based on listType parameter.
*Ldap Available Service*
*name*: ldapAvailable
*responseObject*: LDAPAvailableResponse {available:boolean}
Create a new API service call verifying LDAP is setup correctly verifying
the following configuration elements are all set:
ñ ldap.hostname
ñ ldap.port
ñ ldap.usessl
ñ ldap.queryfilter
ñ ldap.searchbase
ñ ldap.dn
ñ ldap.password
The verification that all of these are set will return an available boolean
true. If required this could perform a status check against LDAP first and
provide warning if it fails.
*Ldap Save Users Service*
*name*: ldapSaveUsers
*responseObject*: LDAPSaveUsersResponse {list<UserResponse>}
*parameter*: list of users
Saves the list of objects instead. Following the functionality in
CreateUserCmd it will
ñ Create the user via the account service
ñ Handle the response
It will be decided whether a transation should remain over whole save or
only over individual users. A list of UserResponse will be returned.
*Extension of cloudstack UI “Add User” screen *
Extend account.js to enable it add a user list with editable fields where
required. The new “Add User” screen for LDAP setup.
ñ This will make an ajax call to the ldapAvailable, ldapUserList and
ldapSaveUsers services
ñ Validation will be maintained on username, email, firstname and lastname
*Extension of cloudstack UI “Edit User” screen *
Extend account.js to disable the password fields on the edit user screen if
LDAP available.
ñ This will make an ajax call to the ldapAvailable and updateUser services
ñ Validation will be maintained on username, email, firstname and
lastname. Additional server validation will ensure password has not
changed.
Approach
To get started a development cloudstack environment with DevCloud used to
verify changes. Then once the schedule agreed with the mentor the
deliverables will be broken into smaller User stories with expected
delivery dates set. The development cycle will focus on BDD enforcing all
unit and acceptance tests written first.
A build pipe line for continious delivery environment around cloudstack
here will be created, the following stages will be adopted
*Stage*
*Action*
Commit
Runs unit tests
Sonar
Runs code quality metrics
Acceptance
Deploys the dev cloud and runs all acceptance tests
Deployment
Deploy a new management server using Chef
About Me
I am a Computer Science Student at Dublin City University in Ireland. I
have interests in virtualization, automation, information systems,
networking and web development.
I was involved with a project in a K-12(educational) environment of moving
their server systems over to a virtualized environment on ESXi. I have
good knowledge of programming in Java, PHP and Scripting langages. During
the configuration of an automation system for OS deployment I experienced
some exposure to scripting in powershell, batch, vbs and bash and
configuration of PXE images based of WinPE and Debian.
Additionally I am also a mentor in an opensource teaching movement called
CoderDojo, we teach kids from the age of 8 everything from web page, HTML 5
game and raspberry pi development.
I’m excited at the opportunity and learning experience that cloudstack are
offering with this project.
References
ñ https://cwiki.apache.org/CLOUDSTACK/development-101.html
ñ
http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Admin_Guide/
ñ
http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/API_Developers_Guide/index.html
ñ https://issues.apache.org/jira/browse/CLOUDSTACK-2014
ñ
http://www.slideshare.net/sebastiengoasguen/apache-cloudstack-google-summer-of-code
ñ
http://kirkjantzer.blogspot.co.uk/2013/03/ldap-authentication-in-cloudstack-v401.html
ñ http://www.ldapguru.info/ldap/ldap-search-best-practices.html
ñ http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi-ldap.html
On 3 May 2013 17:35, Ian Duffy <i...@ianduffy.ie> wrote:
> Hi,
>
> I was wondering If I could get some feedback on the attached file labeled
> "Cloudstack-LDAP.pdf". It outlines a design document for the project
> labeled "LDAP user provisioning"
>
> From my current understanding of the single sign on mechanism implemented
> in cloudstack a LDAP user must be created manually within the cloudstack
> database. Would it be preferred to:
>
> A) Create a service that polls LDAP every so often to check for new user
> creation.
> or
> B) Extend the login page to check LDAP after failing to find a user within
> the cloudstack database. On success of finding a user in LDAP a profile
> would automatically be created within the cloudstack database.
>
> Kind regards,
> Ian
>
