1) by default, user or domain admin are not able to update the password in UI or via API, unless some permissions are added in api properties file - we know this because we worked on extending user password functionality in cloudstack
Interesting I will definitely research this more. I was not aware of that. Got any links to documentation about that API properties file? 2) user however can generate API key and Secret Key, but perhaps you can create a job that will query LDAP periodically to check for disabled users, and if user is disabled in LDAP, disable the user in CloudStack as well. Would this approace work? Yes... I assume it would be possible to kick of a scheduled task (Anybody care to chime in here as to how to do that within the cloudstack lifecycle?) that would search all cloudstack users against the LDAP database and remove them or revoke their keys in the event they are not found.
