CloudStack 4.3 and LDAP Integration Setup
CloudStack 4.3 has change the way you configure Microsoft Active Directory (AD) integration a bit and I wanted to do a more up to date tutorial of how to set it up. This is only getting better going forward but here is what you have to do today out of the box in the CloudStack portal. Of course you’ll need to have an AD domain that you can connect to and access on the CloudStack side so I’ll assume that you have both.
On the AD side of things you should create a service account to be used to get access to AD and be used in the CloudStack management global settings.
You may want to use “ADSI Edit” to easily get the other information you’ll need.
In the CloudStack management portal go to > Global Settings and click the drop down the select “LDAP Configuration”.
Click the “Configure LDAP” button.
Enter the proper information for the Active Directory server host name and port.
In the CloudStack management portal go to > Global Settings then type “ldap” in the search and you should see the following shown below.
For a basic setup you’ll need to change the settings below.
- ldap.basedn
- ldap.bind.password
- ldap.bind.principal
- ldap.user.object
- ldap.username.attribute
Here is how you’d apply the values to each setting.
Name | Value |
---|---|
ldap.basedn | DC=lab,DC=domain,DC=local |
ldap.bind.password | MyUn$3cur3P@$$w0rd |
ldap.bind.principal | CN=my account,OU=Users,DC=lab,DC=domain,DC=local |
ldap.user.object | user |
ldap.username.attribute | sAMAccountName |
You can set the “ldap.username.attribute” as you see fit but I like to use the “sAMAccountName” attribute. Once the settings have been added, restart the cloudstack-management service.
I noticed in 4.3 that you can not change your password from the management portal after you’ve made the change to use AD, which is good since it should always use AD. This is also enforced for the local “admin” account. So make sure you have configured the “admin” password as needed or you will be prompted with the message shown below.
After all of this is done and the cloudstack-management service has been restarted you’ll still need to login to create the accounts that map to AD accounts for those users to have access to Cloudstack. The good thing is that Cloudstack now provides a method to do this from the UI. Just browse to Home > Accounts then click the “Add LDAP Account” button, select the accounts you’d like to add and change whether they should have the “user” or the “admin” role.
You can also configure Cloudstack to use an AD groups now to make it more easy to only allow specific users access to CloudStack as well. This is definitely a nice addition or should I say improvement that makes integrating with AD simple. Most of all the users are thankful to not have to remember yet another account name and password.
Hey Antone,
You should put a screenshot of the user import screen in the second last paragraph. That was a big improvement for LDAP in 4.3. The screenshot may appeal to the quick scroller reader
That’s true Ian. I have the screen shot but over looked adding it to the post. Will do.