Hi Ian,

I reviewed the Wiki page for this project, while I understand the security 
concern for the user having local cloudstack access as well as ldap, here are 
few things to consider.

1) by default, user or domain admin are not able to update the password in UI 
or via API, unless some permissions are added in api properties file - we know 
this because we worked on extending user password functionality in cloudstack - 
I just cant recall the exact api commands that had to be enabled
2) user however can generate API key and Secret Key, but perhaps you can create 
a job that will query LDAP periodically to check for disabled users, and if 
user is disabled in LDAP, disable the user in CloudStack as well. Would this 
approace work?

Regards
ilya

> -----Original Message-----
> From: Ian Duffy [mailto:i...@ianduffy.ie]
> Sent: Wednesday, July 17, 2013 11:40 AM
> To: Abhinandan Prateek
> Cc: CloudStack Dev
> Subject: [GSoC] Update the wiki LDAP page
> 
> Hi Abhi and All,
> 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/LDAP+implemen
> tation+improvement+and+user+provisioning
> 
> I have updated the LDAP page within the wiki as requested.
> 
> If anybody has feedback I would love to hear it both on a functionality
> approach and on the security concerns purpose.
> 
> The code is available in the 'ldapplugin' branch. (I tried to compile it 
> earlier
> but it failed due to a fault with some other plugin, I have put in a request 
> for
> the branch to be updated against master.
> This should fix that) Docbook based documentation is supplied within the
> master branch.
> 
> For those of you wanting to test but not bring up an LDAP server you can use
> the embedded ApacheDS which is there for integration tests. This can be
> launched by running mvn -pl :cloud-plugin-user-authenticator-ldap ldap:run
> 
> Along with this I have continued to update my JIRA post to include stories of
> tasks I hope to get done:
> 
> https://issues.apache.org/jira/browse/CLOUDSTACK-2014
> 
> ==========================================================
> ===============================
> 
> At the moment I'm trying to get a handle on some of the quirky UI stuff. I'm
> looking at the zones wizard as an example, it appears to show case the
> custom UI the best.
> 
> As outlined in my GSoC proposal ( http://ianduffy.ie/cloudstack-ldap.pdf ) I
> said I would add a table of LDAP users, you select your user and then fill in
> the required information that wouldn't be supplied by LDAP. For those of
> you who prefer a more graphical view here's a rough wireframe:
> http://ianduffy.ie/mockup.png
> 
> Again if somebody can offer some guidance here I would appreciate it
> greatly. I'm struggling to figure out how to enable/disable/swap-in/swap-out
> different UI views based on configuration given.
> 
> Thanks!
> 
> Ian

Reply via email to