cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From radh...@apache.org
Subject git commit: ldap based authentication CLOUDSTACK-5290
Date Thu, 06 Feb 2014 11:24:22 GMT
Updated Branches:
  refs/heads/master 4f17c0bf0 -> 58ec1d009


ldap based authentication CLOUDSTACK-5290


Project: http://git-wip-us.apache.org/repos/asf/cloudstack-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack-docs/commit/58ec1d00
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack-docs/tree/58ec1d00
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack-docs/diff/58ec1d00

Branch: refs/heads/master
Commit: 58ec1d0091f80845412b42543191acc1e976383b
Parents: 4f17c0b
Author: radhikap <radhika.puthiyetath@citrix.com>
Authored: Thu Feb 6 16:45:29 2014 +0530
Committer: radhikap <radhika.puthiyetath@citrix.com>
Committed: Thu Feb 6 16:53:47 2014 +0530

----------------------------------------------------------------------
 en-US/LDAPserver-for-user-authentication.xml |  51 ++++--
 en-US/images/ldap-config.png                 | Bin 0 -> 7872 bytes
 en-US/images/s3-ss.png                       | Bin 0 -> 24140 bytes
 en-US/ldap-config.xml                        | 188 ++++++++++++++++++++++
 en-US/ldap-user-add.xml                      |  80 +++++++++
 5 files changed, 304 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack-docs/blob/58ec1d00/en-US/LDAPserver-for-user-authentication.xml
----------------------------------------------------------------------
diff --git a/en-US/LDAPserver-for-user-authentication.xml b/en-US/LDAPserver-for-user-authentication.xml
index 376631c..f70afe4 100644
--- a/en-US/LDAPserver-for-user-authentication.xml
+++ b/en-US/LDAPserver-for-user-authentication.xml
@@ -22,18 +22,39 @@
     under the License.
 -->
 <section id="LDAPserver-for-user-authentication">
-    <title>Using an LDAP Server for User Authentication</title>
-    <para>You can use an external LDAP server such as Microsoft Active Directory or
ApacheDS to authenticate &PRODUCT; end-users. Just map &PRODUCT; accounts to the corresponding
LDAP accounts using a query filter. The query filter is written using the query syntax of
the particular LDAP server, and can include special wildcard characters provided by &PRODUCT;
for matching common values such as the user’s email address and name. &PRODUCT; will
search the external LDAP directory tree starting at a specified base directory and return
the distinguished name (DN) and password of the matching user. This information along with
the given password is used to authenticate the user..</para>
-    <para>To set up LDAP authentication in &PRODUCT;, call the &PRODUCT; API
command ldapConfig and provide the following:</para>
-    <itemizedlist>
-        <listitem><para>Hostname or IP address and listening port of the LDAP
server</para></listitem>
-        <listitem> <para>Base directory and query filter</para></listitem>
-        <listitem><para>Search user DN credentials, which give &PRODUCT;
permission to search on the LDAP server</para></listitem>
-        <listitem><para>SSL keystore and password, if SSL is used</para></listitem>
    
-    </itemizedlist>
-    <xi:include href="example-LDAP-configuration-commands.xml" xmlns:xi="http://www.w3.org/2001/XInclude"
/>
-    <xi:include href="search-base.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
-    <xi:include href="query-filter.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
-    <xi:include href="search-user-bind-dn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"
/>
-    <xi:include href="SSL-keystore-path-and-password.xml" xmlns:xi="http://www.w3.org/2001/XInclude"
/>    
-    </section>
+  <title>Using an LDAP Server for User Authentication</title>
+  <para>&PRODUCT; supports authentication through a Lightweight Directory Access
Protocol (LDAP)
+    server, such as Microsoft Active Directory or ApacheDS. You can add LDAP associations
to
+    &PRODUCT; so users can log in by using credentials based on your existing authentication
scheme.
+    Additionally, the simplified LDAP authentication mechanism in &PRODUCT; 4.3 allows
you to import
+    users directly from the configured LDAP Group. LDAP users are authenticated without creating
+    individual users in &PRODUCT;.</para>
+  <para>To use LDAP for authentication of &PRODUCT; users, you must do the following
steps:</para>
+  <orderedlist>
+    <listitem>
+      <para>Add a working LDAP server.</para>
+      <para>See <xref linkend="ldap-config"/>.</para>
+    </listitem>
+    <listitem>
+      <para>Configure the LDAP attributes.</para>
+      <para>See <xref linkend="ldap-param"/>.</para>
+    </listitem>
+    <listitem>
+      <para>Import users from the LDAP group.</para>
+      <para>See <xref linkend="ldap-provision"/>.</para>
+    </listitem>
+    <listitem>
+      <para>To confirm authentication, log in to &PRODUCT; UI as one of the LDAP
user you have
+        imported.</para>
+    </listitem>
+  </orderedlist>
+  <xi:include href="ldap-config.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="ldap-user-add.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <!-- <xi:include href="example-LDAP-configuration-commands.xml"
+    xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="search-base.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="query-filter.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="search-user-bind-dn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="SSL-keystore-path-and-password.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="ldap-custom-auth.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>-->
+</section>

http://git-wip-us.apache.org/repos/asf/cloudstack-docs/blob/58ec1d00/en-US/images/ldap-config.png
----------------------------------------------------------------------
diff --git a/en-US/images/ldap-config.png b/en-US/images/ldap-config.png
new file mode 100644
index 0000000..28233d9
Binary files /dev/null and b/en-US/images/ldap-config.png differ

http://git-wip-us.apache.org/repos/asf/cloudstack-docs/blob/58ec1d00/en-US/images/s3-ss.png
----------------------------------------------------------------------
diff --git a/en-US/images/s3-ss.png b/en-US/images/s3-ss.png
new file mode 100644
index 0000000..bd7cdf2
Binary files /dev/null and b/en-US/images/s3-ss.png differ

http://git-wip-us.apache.org/repos/asf/cloudstack-docs/blob/58ec1d00/en-US/ldap-config.xml
----------------------------------------------------------------------
diff --git a/en-US/ldap-config.xml b/en-US/ldap-config.xml
new file mode 100644
index 0000000..8f049df
--- /dev/null
+++ b/en-US/ldap-config.xml
@@ -0,0 +1,188 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
[
+<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
+%BOOK_ENTITIES;
+]>
+
+<!-- Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+  
+  http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<section id="ldap-config">
+  <title>Configuring an LDAP Server</title>
+  <para>You can configure &PRODUCT; to authenticate user access with a LDAP server.
To set up LDAP
+    authentication, provide the following:</para>
+  <itemizedlist>
+    <listitem>
+      <para>Hostname or IP address and listening port of the LDAP server.</para>
+    </listitem>
+    <listitem>
+      <para>The LDAP global parameters.</para>
+    </listitem>
+    <listitem>
+      <para>Base directory and query filter.</para>
+    </listitem>
+    <listitem>
+      <para>Search user DN credentials, which give &PRODUCT; permission to search
on the LDAP
+        server.</para>
+    </listitem>
+    <listitem>
+      <para>SSL keystore and password, if SSL is used.</para>
+    </listitem>
+  </itemizedlist>
+  <section id="add-ldap">
+    <title>Adding an LDAP Server</title>
+    <orderedlist>
+      <listitem>
+        <para>Log in to the &PRODUCT; UI.</para>
+      </listitem>
+      <listitem>
+        <para>From the left navigational bar, click Global Settings.</para>
+      </listitem>
+      <listitem>
+        <para>From the Select view drop down, select LDAP Configuration.</para>
+      </listitem>
+      <listitem>
+        <para>Click Configure LDAP.</para>
+        <para>The Configure LDAP dialog is displayed.</para>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="./images/ldap-config.png"/>
+          </imageobject>
+          <textobject>
+            <phrase>ldap-config.png: LDAP configuration</phrase>
+          </textobject>
+        </mediaobject>
+      </listitem>
+      <listitem>
+        <para>Specify the following:</para>
+        <itemizedlist>
+          <listitem>
+            <para><emphasis role="bold">Hostname</emphasis>: Hostname or
IP address of the LDAP
+              server.</para>
+          </listitem>
+          <listitem>
+            <para><emphasis role="bold">Port</emphasis>: The Listening
port of the LDAP
+              server.</para>
+            <para>The port numbers for LDAP connections are: </para>
+            <itemizedlist>
+              <listitem>
+                <para>389 for unsecured LDAP connections. This is the default value.</para>
+              </listitem>
+              <listitem>
+                <para>636 for secure LDAP connections.</para>
+              </listitem>
+              <listitem>
+                <para>3268 for Microsoft unsecure LDAP connections.</para>
+              </listitem>
+              <listitem>
+                <para>3269 for Microsoft secure LDAP connections.</para>
+              </listitem>
+              <listitem>
+                <para>10389 for ApacheDS.</para>
+              </listitem>
+            </itemizedlist>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>Click OK.</para>
+      </listitem>
+    </orderedlist>
+  </section>
+  <section id="ldap-param">
+    <title>Configuring LDAP Attributes in &PRODUCT;</title>
+    <para>&PRODUCT; provides the following global LDAP configuration parameters:</para>
+    <itemizedlist>
+      <listitem>
+        <para><parameter>ldap basedn</parameter>: Defines the location
of the users. This is usually
+          derived from the <code>binddn</code>. Remove the user name from <code>bind
dn</code> and
+          specify the group where users are located. The entire subtree under the
+            <code>binddn</code> will be searched for user accounts.</para>
+        <para>For example:
+          <programlisting>cn=users,dc=&lt;sub-domain>,dc=&lt;domain>.
dc=com</programlisting></para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap bind password</parameter>: The password used
in association with the
+          administrator bind DN. This is used for querying the LDAP directory. If this is
left blank
+          along with bind principal then anonymous binding is used.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap bind principal</parameter>: The principle
to bind to the LDAP server
+          for creating the system context. The value is frequently the DN (Distinguished
Name) of
+          the user entry with the user ID. If this field is left blank along with the bind
password
+          then anonymous binding is used.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap email attribute</parameter>: The attribute
that your LDAP directory
+          uses to hold the user’s e-mail address. Default attribute name is
+            <parameter>mail</parameter>.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap firstname attribute</parameter>: The attribute
that your LDAP
+          directory uses to hold the first name of the user. Default is <parameter>cn</parameter>.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap group object</parameter>: The attribute that
sets the object types for
+          groups.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap group user uniquemember</parameter>: The
attribute that your LDAP
+          directory uses to hold the unique members of the group.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap lastname attribute</parameter>: The attribute
that your LDAP directory
+          uses to hold the last name of the user.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap search group principle</parameter>: Sets
the principle of the group
+          that the LDAP users must be part of.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap trust store</parameter>: Sets the path to
the trust store to be used
+          for secure connections. You can use the trust store to install CA certificates
and client
+          certificates.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap trust store password</parameter>: Sets the
password for the trust
+          store. Password protects the trust store.</para>
+      </listitem>
+      <listitem>
+        <para><parameter>ldap user object</parameter>: The object type
of user accounts within LDAP.
+          The default is <parameter>inetOrgperson</parameter>.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section id="remove-ldap">
+    <title>Removing an LDAP Configuration</title>
+    <orderedlist>
+      <listitem>
+        <para>Log in to the &PRODUCT;.</para>
+      </listitem>
+      <listitem>
+        <para>From the left navigational bar, click Global Settings.</para>
+      </listitem>
+      <listitem>
+        <para>From the Select view drop down, select LDAP Configuration.</para>
+      </listitem>
+      <listitem>
+        <para>In the Quick View, click Remove LDAP.</para>
+        <para>Alternatively, you can click Remove LDAP in the LDAP Configuration Details
+          page.</para>
+      </listitem>
+    </orderedlist>
+  </section>
+</section>

http://git-wip-us.apache.org/repos/asf/cloudstack-docs/blob/58ec1d00/en-US/ldap-user-add.xml
----------------------------------------------------------------------
diff --git a/en-US/ldap-user-add.xml b/en-US/ldap-user-add.xml
new file mode 100644
index 0000000..1fadd5a
--- /dev/null
+++ b/en-US/ldap-user-add.xml
@@ -0,0 +1,80 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
[
+<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
+%BOOK_ENTITIES;
+]>
+
+<!-- Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+  
+  http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<section id="ldap-provision">
+  <title>Provisioning LDAP Users in &PRODUCT;</title>
+  <para>You can import LDAP users without creating users individually in &PRODUCT;.
After users are
+    imported to &PRODUCT; they can by authenticated to use &PRODUCT; by using their
LDAP
+    credentials. You can either directly import users from a given basedn, or alternatively,
specify
+    the search string or user attributes for &PRODUCT; to search the LDAP directory tree
based on
+    the query strings.</para>
+  <orderedlist>
+    <listitem>
+      <para>Log in to the CloudPlatform UI as an administrator.</para>
+    </listitem>
+    <listitem>
+      <para>In the left navigation bar, click Accounts.</para>
+      <para>The Account page is displayed.</para>
+    </listitem>
+    <listitem>
+      <para>In the Account page, click Add LDAP Users.</para>
+      <para>The Add LDAP User screen lists all the users associated with the LDAP server
you have
+        configured.</para>
+    </listitem>
+    <listitem>
+      <para>In the Add LDAP Account screen, perform either of the following:</para>
+      <itemizedlist>
+        <listitem>
+          <para>Manually select the users from the user list.</para>
+          <para>&PRODUCT; displays all the users from the LDAP group configured.</para>
+        </listitem>
+        <listitem>
+          <para>Specify the search string or desired user attribute, then import users.</para>
+          <itemizedlist>
+            <listitem>
+              <para>Domain</para>
+            </listitem>
+            <listitem>
+              <para>Account</para>
+            </listitem>
+            <listitem>
+              <para>User type</para>
+            </listitem>
+            <listitem>
+              <para>Timezone</para>
+            </listitem>
+            <listitem>
+              <para>Network Domain</para>
+            </listitem>
+            <listitem>
+              <para>LDAP Group</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+    <listitem>
+      <para>Click Add.</para>
+    </listitem>
+  </orderedlist>
+</section>


Mime
View raw message