CloudStack 4.1 and LDAP Authentication

I recently had an opportunity to hook up Apache CloudStack 4.1 to Active Directory via OpenLDAP Proxies. While the OpenLDAP installation and configuration is relatively simple if you have prior experience with LDAP, the actual CloudStack configuration to use LDAP authentication is even simpler.


Follow Haroon Feroze’s excellent Step by Step Installation and Configuration of OpenLDAP as Proxy to Active Directory and the CloudStack instructions at Using an LDAP Server for User Authentication to complete the setup.

However, please be aware that the LDAP Authentication/Authorisation functionality as of CloudStack 4.1 seems to be very limited. Identical user accounts has to be created within CloudStack as they exist in LDAP. So essentially, it’s a minimal pass thru authentication for existing CloudStack users.

Ideally, CloudStack would auto create local accounts based on successful LDAP authentication rather than have the admin pre-create accounts. Also, it “looks” that CloudStack can only have one LDAP server configured to talk to at a time. For HA reasons, you might want to place your LDAP servers behind a Load Balancer and use the virtual IP instead.

There is a GSoC 2013 project to improve CloudStack’s LDAP support awarded to Ian Duffy. Details at http://ianduffy.ie/cloudstack-ldap.pdf. We should see better LDAP support in future releases.

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:
TwitterLinkedIn

Published by

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

2 thoughts on “CloudStack 4.1 and LDAP Authentication”

  1. Hi Ian,

    This was a customer requirement to use a “proxy” if the application did not have native “ADFS” support. At this time, it does not look like CloudStack has native “ADFS” support.

Leave a Reply