Also, please note - there is a difference between locked and disabled user.
If I understand this correctly, lock - forbids user from logging in, disable - will power down the vms user created. We should probably lock the account and let admin do a clean up on their own - but its open for discussion. > -----Original Message----- > From: Ian Duffy [mailto:i...@ianduffy.ie] > Sent: Wednesday, July 17, 2013 1:07 PM > To: dev@cloudstack.apache.org > Subject: Re: [GSoC] Update the wiki LDAP page > > 1) by default, user or domain admin are not able to update the password in > UI or via API, unless some permissions are added in api properties file - we > know this because we worked on extending user password functionality in > cloudstack > > Interesting I will definitely research this more. I was not aware of that. Got > any links to documentation about that API properties file? > > 2) user however can generate API key and Secret Key, but perhaps you can > create a job that will query LDAP periodically to check for disabled users, > and > if user is disabled in LDAP, disable the user in CloudStack as well. Would > this > approace work? > > Yes... I assume it would be possible to kick of a scheduled task (Anybody care > to chime in here as to how to do that within the cloudstack lifecycle?) that > would search all cloudstack users against the LDAP database and remove > them or revoke their keys in the event they are not found.
