CloudStack 4.3 and LDAP Integration Setup

CloudStack 4.3 has change the way you configure Microsoft Active Directory (AD) integration a bit and I wanted to do a more up to date tutorial of how to set it up. This is only getting better going forward but here is what you have to do today out of the box in the CloudStack portal. Of course you’ll need to have an AD domain that you can connect to and access on the CloudStack side so I’ll assume that you have both.

On the AD side of things you should create a service account to be used to get access to AD and be used in the CloudStack management global settings.

You may want to use “ADSI Edit” to easily get the other information you’ll need.

In the CloudStack management portal go to > Global Settings and click the drop down the select “LDAP Configuration”.

Click the “Configure LDAP” button.

Enter the proper information for the Active Directory server host name and port.

In the CloudStack management portal go to > Global Settings then type “ldap” in the search and you should see the following shown below.

For a basic setup you’ll need to change the settings below.

  • ldap.basedn
  • ldap.bind.password
  • ldap.bind.principal
  • ldap.user.object
  • ldap.username.attribute

Here is how you’d apply the values to each setting.

NameValue
ldap.basednDC=lab,DC=domain,DC=local
ldap.bind.passwordMyUn$3cur3P@$$w0rd
ldap.bind.principalCN=my account,OU=Users,DC=lab,DC=domain,DC=local
ldap.user.objectuser
ldap.username.attributesAMAccountName

You can set the “ldap.username.attribute” as you see fit but I like to use the “sAMAccountName” attribute. Once the settings have been added, restart the cloudstack-management service.

I noticed in 4.3 that you can not change your password from the management portal after you’ve made the change to use AD, which is good since it should always use AD. This is also enforced for the local “admin” account. So make sure you have configured the “admin” password as needed or you will be prompted with the message shown below.

After all of this is done and the cloudstack-management service has been restarted you’ll still need to login to create the accounts that map to AD accounts for those users to have access to Cloudstack. The good thing is that Cloudstack now provides a method to do this from the UI. Just browse to Home > Accounts then click the “Add LDAP Account” button, select the accounts you’d like to add and change whether they should have the “user” or the “admin” role.

 

You can also configure Cloudstack to use an AD groups now to make it more easy to only allow specific users access to CloudStack as well. This is definitely a nice addition or should I say improvement that makes integrating with AD simple. Most of all the users are thankful to not have to remember yet another account name and password.

CloudStack 4.3 and LDAP Integration Setup originally appeared on theHyperadvisor by Antone Heyward

Tags: ,

2 Responses to CloudStack 4.3 and LDAP Integration Setup

  1. Ian Duffy on June 5, 2020 at 1:14 pm

    Hey Antone,

    You should put a screenshot of the user import screen in the second last paragraph. That was a big improvement for LDAP in 4.3. The screenshot may appeal to the quick scroller reader

  2. Antone Heyward on June 5, 2020 at 1:40 pm

    That’s true Ian. I have the screen shot but over looked adding it to the post. Will do.

Leave a Reply

Disclaimer:

The opinions expressed on this blog are solely those of the individual that left it, and do not reflect the opinions of their employer.