[GSoC] (Screencast/Demo) LDAP user provisioning

[Ian Duffy <ia...@ianduffy.ie>]

Hi Guys,

The latest patch I uploaded to review board (
https://reviews.apache.org/r/12969/ ) brings the "LDAP user
provisioning" project to a "prototype" stage.

If anybody wants to give feedback the ldapplugin branch should have
all features shown in the screencast once the above patch is shipped.
Support still needs to be added for ldap over SSL, memberof filters
and only show users that exist within ldap but not cloudstack on the
add user screen.

This includes:
 - A new plugin for configuring ldap, authenticating against LDAP and
getting a list of users from LDAP.
 - Modified UI
       - Global Settings - Global LDAP configuration options. BaseDN,
Bind username, Bind password, etc.
       - Global settings -> LDAP Configuration. Lets you add multiple
LDAP servers for failover support.
       - Accounts -> Add Account. Brings up a table of LDAP users,
lets you select one to many LDAP users, set the same domain/network
domain/timezone/etc. for them and create them.

Quick 2min screencast at
https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing off these
additions.

This screencast was created using the embedded LDAP server I added in
for the sake of integration tests. Its based of ApacheDS, and can be
started with

mvn -pl plugins/user-authenticators/ldap ldap:run

Thanks for all the help!
Ian

RE: [GSoC] (Screencast/Demo) LDAP user provisioning

["Musayev, Ilya" <im...@webmd.net>]

Ian,

Much appreciated,

Can't wait to put this into real world QA :)

Thanks
ilya

> -----Original Message-----
> From: Ian Duffy [mailto:ian@ianduffy.ie]
> Sent: Wednesday, July 31, 2013 8:58 PM
> To: Musayev, Ilya
> Cc: dev@cloudstack.apache.org
> Subject: Re: [GSoC] (Screencast/Demo) LDAP user provisioning
> 
> Hi Ilya,
> 
> SSL is now done. Still need to do more testing on it but it appears to be
> working.
> 
> >  I want to backport this into my customized 4.1 cloudstack edition called
> cloudsand. CloudSand is a hybrid of    > CloudStack stable version with some
> urgently needed features pulled from master to speed up cloudstack        >
> adoption by enterprises. The work you do on LDAP will be a great addition!
> 
> Cool. I didn't realise you had the project on github until I seen your earlier
> emails on another subject today, love what you have done with it. I have
> forked your repo and added in the features to date along with making
> modifications to the code where necessary to support 4.1.1
> 
> Enjoy: https://github.com/imduffy15/cloudsand
> 
> Will send you a merge request in [a|few] week(s).
> 
> Ian
> 
> On 31 July 2013 09:49, Ian Duffy <ia...@ianduffy.ie> wrote:
> > Moving along faster than expected with this.
> >
> > The pending patches do the following:
> >
> >  - Disable UI password changes when LDAP is enabled.
> >  - Disable API password changes when LDAP is enabled.
> >  - Add support for the memberof filter.
> >
> > Hope to get SSL done before the week is out.
> >
> > On 26 July 2013 18:39, Ian Duffy <ia...@ianduffy.ie> wrote:
> >> Its all good :-) just don't want to make promises. Can't trust my
> >> home internet at all.
> >>
> >> Cool will keep an eye out for it. I'd imagine it'd be fairly easy to
> >> implement.
> >>
> >> On 26 Jul 2013 18:25, "Musayev, Ilya" <im...@webmd.net> wrote:
> >>>
> >>> I understand, I guess do the best you can, sorry you are losing
> >>> office space, if would've have been in NYC, we could have helped you
> >>> with it :)
> >>>
> >>> I've also sent an email asking for help with scheduled tasks,
> >>> perhaps someone can respond.
> >>>
> >>> Regards
> >>> ilya
> >>>
> >>> > -----Original Message-----
> >>> > From: Ian Duffy [mailto:ian@ianduffy.ie]
> >>> > Sent: Friday, July 26, 2013 1:10 PM
> >>> > To: dev@cloudstack.apache.org
> >>> > Subject: RE: [GSoC] (Screencast/Demo) LDAP user provisioning
> >>> >
> >>> > Hi llya,
> >>> >
> >>> > Apologies in advanced for lack of formatting, currently replying
> >>> > from mobile.
> >>> >
> >>> > Those UI features are present in 4.2 under LDAP configuration
> >>> > within global settings as far as I am aware. They are buggy if I
> >>> > remember correctly.
> >>> >
> >>> > For deactivating users I haven't looked into it yet and have not
> >>> > sent out an email asking for help on creating a scheduled task. It
> >>> > is not included within the project proposal so I was leaving it as
> >>> > a 'if I have time at the end' type of thing. I lose office space
> >>> > and a decent internet connection come august 20th so I'm pushing
> >>> > to get all proposed features done before then.
> >>> >
> >>> > Check out 1:25 such messages exist.
> >>> >
> >>> > Yes has been tested against Apache DS, openldap and active directory.
> >>> > I'm a
> >>> > little worried about implementing a member of filter, I've yet to
> >>> > figure out how to enable that in openldap, active directory has it
> >>> > by default thankfully.
> >>> > You'll need to set your LDAP attributes for active directory
> >>> > within global settings, by default they are at POSIX compliant
> >>> > ones... So..
> >>> > User object to user username to samAccountName.
> >>> > On 26 Jul 2013 17:20, "Musayev, Ilya" <im...@webmd.net> wrote:
> >>> >
> >>> > > Ian
> >>> > >
> >>> > > Watched screencast and you did an amazing job! I want to
> >>> > > backport this into my customized 4.1 cloudstack edition called
> >>> > > cloudsand. CloudSand is a hybrid of CloudStack stable version
> >>> > > with some urgently needed features pulled from master to speed
> >>> > > up cloudstack adoption by enterprises. The work you do on LDAP will
> be a great addition!
> >>> > >
> >>> > > With that said, I have few questions:
> >>> > >
> >>> > > Back several months aqgo, I recall some work done on LDAP where
> >>> > > a patch was introduced to configure LDAP through UI. Not in
> >>> > > Global Settings like you did for basedn, but in separate window
> >>> > > where you defined hostname and port. Would you know what
> happened to that?
> >>> > > Where do you stand with scheduled task on checking which ldap
> >>> > > users have been deactivated and deactivate them in CS as well?
> >>> > > Also, it would be nice to mention "User XYZ could not be added
> >>> > > due to missing email (or whatever else is missing)".
> >>> > > Have you tried testing this on Windows AD, unfortunately, many
> >>> > > enterprises use Microsoft Active Directory.
> >>> > >
> >>> > > Thank again for improving CloudStack,
> >>> > >
> >>> > > Regards
> >>> > > -ilya
> >>> > >
> >>> > >
> >>> > > > -----Original Message-----
> >>> > > > From: Ian Duffy [mailto:ian@ianduffy.ie]
> >>> > > > Sent: Friday, July 26, 2013 11:52 AM
> >>> > > > To: Sebastien Goasguen; Abhinandan Prateek; CloudStack Dev
> >>> > > > Subject: [GSoC] (Screencast/Demo) LDAP user provisioning
> >>> > > >
> >>> > > > Hi Guys,
> >>> > > >
> >>> > > > The latest patch I uploaded to review board (
> >>> > > > https://reviews.apache.org/r/12969/ ) brings the "LDAP user
> >>> > > provisioning"
> >>> > > > project to a "prototype" stage.
> >>> > > >
> >>> > > > If anybody wants to give feedback the ldapplugin branch should
> >>> > > > have all features shown in the screencast once the above patch
> >>> > > > is shipped.
> >>> > > > Support still needs to be added for ldap over SSL, memberof
> >>> > > > filters and
> >>> > > only
> >>> > > > show users that exist within ldap but not cloudstack on the
> >>> > > > add user
> >>> > > screen.
> >>> > > >
> >>> > > > This includes:
> >>> > > >  - A new plugin for configuring ldap, authenticating against
> >>> > > > LDAP and
> >>> > > getting a
> >>> > > > list of users from LDAP.
> >>> > > >  - Modified UI
> >>> > > >        - Global Settings - Global LDAP configuration options.
> >>> > > > BaseDN,
> >>> > > Bind
> >>> > > > username, Bind password, etc.
> >>> > > >        - Global settings -> LDAP Configuration. Lets you add
> >>> > > > multiple
> >>> > > LDAP
> >>> > > > servers for failover support.
> >>> > > >        - Accounts -> Add Account. Brings up a table of LDAP
> >>> > > > users, lets
> >>> > > you select
> >>> > > > one to many LDAP users, set the same domain/network
> >>> > > > domain/timezone/etc. for them and create them.
> >>> > > >
> >>> > > > Quick 2min screencast at
> >>> > > > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing
> off
> >>> > these
> >>> > > > additions.
> >>> > > >
> >>> > > > This screencast was created using the embedded LDAP server I
> >>> > > > added in for the sake of integration tests. Its based of
> >>> > > > ApacheDS, and can be started
> >>> > > with
> >>> > > >
> >>> > > > mvn -pl plugins/user-authenticators/ldap ldap:run
> >>> > > >
> >>> > > > Thanks for all the help!
> >>> > > > Ian
> >>> > >
> >>> > >

Re: [GSoC] (Screencast/Demo) LDAP user provisioning

[Ian Duffy <ia...@ianduffy.ie>]

Hi Ilya,

SSL is now done. Still need to do more testing on it but it appears to
be working.

>  I want to backport this into my customized 4.1 cloudstack edition called cloudsand. CloudSand is a hybrid of    > CloudStack stable version with some urgently needed features pulled from master to speed up cloudstack        > adoption by enterprises. The work you do on LDAP will be a great addition!

Cool. I didn't realise you had the project on github until I seen your
earlier emails on another subject today, love what you have done with
it. I have forked your repo and added in the features to date along
with making modifications to the code where necessary to support 4.1.1

Enjoy: https://github.com/imduffy15/cloudsand

Will send you a merge request in [a|few] week(s).

Ian

On 31 July 2013 09:49, Ian Duffy <ia...@ianduffy.ie> wrote:
> Moving along faster than expected with this.
>
> The pending patches do the following:
>
>  - Disable UI password changes when LDAP is enabled.
>  - Disable API password changes when LDAP is enabled.
>  - Add support for the memberof filter.
>
> Hope to get SSL done before the week is out.
>
> On 26 July 2013 18:39, Ian Duffy <ia...@ianduffy.ie> wrote:
>> Its all good :-) just don't want to make promises. Can't trust my home
>> internet at all.
>>
>> Cool will keep an eye out for it. I'd imagine it'd be fairly easy to
>> implement.
>>
>> On 26 Jul 2013 18:25, "Musayev, Ilya" <im...@webmd.net> wrote:
>>>
>>> I understand, I guess do the best you can, sorry you are losing office
>>> space, if would've have been in NYC, we could have helped you with it :)
>>>
>>> I've also sent an email asking for help with scheduled tasks, perhaps
>>> someone can respond.
>>>
>>> Regards
>>> ilya
>>>
>>> > -----Original Message-----
>>> > From: Ian Duffy [mailto:ian@ianduffy.ie]
>>> > Sent: Friday, July 26, 2013 1:10 PM
>>> > To: dev@cloudstack.apache.org
>>> > Subject: RE: [GSoC] (Screencast/Demo) LDAP user provisioning
>>> >
>>> > Hi llya,
>>> >
>>> > Apologies in advanced for lack of formatting, currently replying from
>>> > mobile.
>>> >
>>> > Those UI features are present in 4.2 under LDAP configuration within
>>> > global
>>> > settings as far as I am aware. They are buggy if I remember correctly.
>>> >
>>> > For deactivating users I haven't looked into it yet and have not sent
>>> > out an
>>> > email asking for help on creating a scheduled task. It is not included
>>> > within
>>> > the project proposal so I was leaving it as a 'if I have time at the
>>> > end' type of
>>> > thing. I lose office space and a decent internet connection come august
>>> > 20th
>>> > so I'm pushing to get all proposed features done before then.
>>> >
>>> > Check out 1:25 such messages exist.
>>> >
>>> > Yes has been tested against Apache DS, openldap and active directory.
>>> > I'm a
>>> > little worried about implementing a member of filter, I've yet to figure
>>> > out
>>> > how to enable that in openldap, active directory has it by default
>>> > thankfully.
>>> > You'll need to set your LDAP attributes for active directory within
>>> > global
>>> > settings, by default they are at POSIX compliant ones... So..
>>> > User object to user username to samAccountName.
>>> > On 26 Jul 2013 17:20, "Musayev, Ilya" <im...@webmd.net> wrote:
>>> >
>>> > > Ian
>>> > >
>>> > > Watched screencast and you did an amazing job! I want to backport this
>>> > > into my customized 4.1 cloudstack edition called cloudsand. CloudSand
>>> > > is a hybrid of CloudStack stable version with some urgently needed
>>> > > features pulled from master to speed up cloudstack adoption by
>>> > > enterprises. The work you do on LDAP will be a great addition!
>>> > >
>>> > > With that said, I have few questions:
>>> > >
>>> > > Back several months aqgo, I recall some work done on LDAP where a
>>> > > patch was introduced to configure LDAP through UI. Not in Global
>>> > > Settings like you did for basedn, but in separate window where you
>>> > > defined hostname and port. Would you know what happened to that?
>>> > > Where do you stand with scheduled task on checking which ldap users
>>> > > have been deactivated and deactivate them in CS as well?
>>> > > Also, it would be nice to mention "User XYZ could not be added due to
>>> > > missing email (or whatever else is missing)".
>>> > > Have you tried testing this on Windows AD, unfortunately, many
>>> > > enterprises use Microsoft Active Directory.
>>> > >
>>> > > Thank again for improving CloudStack,
>>> > >
>>> > > Regards
>>> > > -ilya
>>> > >
>>> > >
>>> > > > -----Original Message-----
>>> > > > From: Ian Duffy [mailto:ian@ianduffy.ie]
>>> > > > Sent: Friday, July 26, 2013 11:52 AM
>>> > > > To: Sebastien Goasguen; Abhinandan Prateek; CloudStack Dev
>>> > > > Subject: [GSoC] (Screencast/Demo) LDAP user provisioning
>>> > > >
>>> > > > Hi Guys,
>>> > > >
>>> > > > The latest patch I uploaded to review board (
>>> > > > https://reviews.apache.org/r/12969/ ) brings the "LDAP user
>>> > > provisioning"
>>> > > > project to a "prototype" stage.
>>> > > >
>>> > > > If anybody wants to give feedback the ldapplugin branch should have
>>> > > > all features shown in the screencast once the above patch is
>>> > > > shipped.
>>> > > > Support still needs to be added for ldap over SSL, memberof filters
>>> > > > and
>>> > > only
>>> > > > show users that exist within ldap but not cloudstack on the add user
>>> > > screen.
>>> > > >
>>> > > > This includes:
>>> > > >  - A new plugin for configuring ldap, authenticating against LDAP
>>> > > > and
>>> > > getting a
>>> > > > list of users from LDAP.
>>> > > >  - Modified UI
>>> > > >        - Global Settings - Global LDAP configuration options.
>>> > > > BaseDN,
>>> > > Bind
>>> > > > username, Bind password, etc.
>>> > > >        - Global settings -> LDAP Configuration. Lets you add
>>> > > > multiple
>>> > > LDAP
>>> > > > servers for failover support.
>>> > > >        - Accounts -> Add Account. Brings up a table of LDAP users,
>>> > > > lets
>>> > > you select
>>> > > > one to many LDAP users, set the same domain/network
>>> > > > domain/timezone/etc. for them and create them.
>>> > > >
>>> > > > Quick 2min screencast at
>>> > > > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing off
>>> > these
>>> > > > additions.
>>> > > >
>>> > > > This screencast was created using the embedded LDAP server I added
>>> > > > in for the sake of integration tests. Its based of ApacheDS, and can
>>> > > > be started
>>> > > with
>>> > > >
>>> > > > mvn -pl plugins/user-authenticators/ldap ldap:run
>>> > > >
>>> > > > Thanks for all the help!
>>> > > > Ian
>>> > >
>>> > >

Re: [GSoC] (Screencast/Demo) LDAP user provisioning

[Ian Duffy <ia...@ianduffy.ie>]

Moving along faster than expected with this.

The pending patches do the following:

 - Disable UI password changes when LDAP is enabled.
 - Disable API password changes when LDAP is enabled.
 - Add support for the memberof filter.

Hope to get SSL done before the week is out.

On 26 July 2013 18:39, Ian Duffy <ia...@ianduffy.ie> wrote:
> Its all good :-) just don't want to make promises. Can't trust my home
> internet at all.
>
> Cool will keep an eye out for it. I'd imagine it'd be fairly easy to
> implement.
>
> On 26 Jul 2013 18:25, "Musayev, Ilya" <im...@webmd.net> wrote:
>>
>> I understand, I guess do the best you can, sorry you are losing office
>> space, if would've have been in NYC, we could have helped you with it :)
>>
>> I've also sent an email asking for help with scheduled tasks, perhaps
>> someone can respond.
>>
>> Regards
>> ilya
>>
>> > -----Original Message-----
>> > From: Ian Duffy [mailto:ian@ianduffy.ie]
>> > Sent: Friday, July 26, 2013 1:10 PM
>> > To: dev@cloudstack.apache.org
>> > Subject: RE: [GSoC] (Screencast/Demo) LDAP user provisioning
>> >
>> > Hi llya,
>> >
>> > Apologies in advanced for lack of formatting, currently replying from
>> > mobile.
>> >
>> > Those UI features are present in 4.2 under LDAP configuration within
>> > global
>> > settings as far as I am aware. They are buggy if I remember correctly.
>> >
>> > For deactivating users I haven't looked into it yet and have not sent
>> > out an
>> > email asking for help on creating a scheduled task. It is not included
>> > within
>> > the project proposal so I was leaving it as a 'if I have time at the
>> > end' type of
>> > thing. I lose office space and a decent internet connection come august
>> > 20th
>> > so I'm pushing to get all proposed features done before then.
>> >
>> > Check out 1:25 such messages exist.
>> >
>> > Yes has been tested against Apache DS, openldap and active directory.
>> > I'm a
>> > little worried about implementing a member of filter, I've yet to figure
>> > out
>> > how to enable that in openldap, active directory has it by default
>> > thankfully.
>> > You'll need to set your LDAP attributes for active directory within
>> > global
>> > settings, by default they are at POSIX compliant ones... So..
>> > User object to user username to samAccountName.
>> > On 26 Jul 2013 17:20, "Musayev, Ilya" <im...@webmd.net> wrote:
>> >
>> > > Ian
>> > >
>> > > Watched screencast and you did an amazing job! I want to backport this
>> > > into my customized 4.1 cloudstack edition called cloudsand. CloudSand
>> > > is a hybrid of CloudStack stable version with some urgently needed
>> > > features pulled from master to speed up cloudstack adoption by
>> > > enterprises. The work you do on LDAP will be a great addition!
>> > >
>> > > With that said, I have few questions:
>> > >
>> > > Back several months aqgo, I recall some work done on LDAP where a
>> > > patch was introduced to configure LDAP through UI. Not in Global
>> > > Settings like you did for basedn, but in separate window where you
>> > > defined hostname and port. Would you know what happened to that?
>> > > Where do you stand with scheduled task on checking which ldap users
>> > > have been deactivated and deactivate them in CS as well?
>> > > Also, it would be nice to mention "User XYZ could not be added due to
>> > > missing email (or whatever else is missing)".
>> > > Have you tried testing this on Windows AD, unfortunately, many
>> > > enterprises use Microsoft Active Directory.
>> > >
>> > > Thank again for improving CloudStack,
>> > >
>> > > Regards
>> > > -ilya
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: Ian Duffy [mailto:ian@ianduffy.ie]
>> > > > Sent: Friday, July 26, 2013 11:52 AM
>> > > > To: Sebastien Goasguen; Abhinandan Prateek; CloudStack Dev
>> > > > Subject: [GSoC] (Screencast/Demo) LDAP user provisioning
>> > > >
>> > > > Hi Guys,
>> > > >
>> > > > The latest patch I uploaded to review board (
>> > > > https://reviews.apache.org/r/12969/ ) brings the "LDAP user
>> > > provisioning"
>> > > > project to a "prototype" stage.
>> > > >
>> > > > If anybody wants to give feedback the ldapplugin branch should have
>> > > > all features shown in the screencast once the above patch is
>> > > > shipped.
>> > > > Support still needs to be added for ldap over SSL, memberof filters
>> > > > and
>> > > only
>> > > > show users that exist within ldap but not cloudstack on the add user
>> > > screen.
>> > > >
>> > > > This includes:
>> > > >  - A new plugin for configuring ldap, authenticating against LDAP
>> > > > and
>> > > getting a
>> > > > list of users from LDAP.
>> > > >  - Modified UI
>> > > >        - Global Settings - Global LDAP configuration options.
>> > > > BaseDN,
>> > > Bind
>> > > > username, Bind password, etc.
>> > > >        - Global settings -> LDAP Configuration. Lets you add
>> > > > multiple
>> > > LDAP
>> > > > servers for failover support.
>> > > >        - Accounts -> Add Account. Brings up a table of LDAP users,
>> > > > lets
>> > > you select
>> > > > one to many LDAP users, set the same domain/network
>> > > > domain/timezone/etc. for them and create them.
>> > > >
>> > > > Quick 2min screencast at
>> > > > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing off
>> > these
>> > > > additions.
>> > > >
>> > > > This screencast was created using the embedded LDAP server I added
>> > > > in for the sake of integration tests. Its based of ApacheDS, and can
>> > > > be started
>> > > with
>> > > >
>> > > > mvn -pl plugins/user-authenticators/ldap ldap:run
>> > > >
>> > > > Thanks for all the help!
>> > > > Ian
>> > >
>> > >

RE: [GSoC] (Screencast/Demo) LDAP user provisioning

[Ian Duffy <ia...@ianduffy.ie>]

Its all good :-) just don't want to make promises. Can't trust my home
internet at all.

Cool will keep an eye out for it. I'd imagine it'd be fairly easy to
implement.
On 26 Jul 2013 18:25, "Musayev, Ilya" <im...@webmd.net> wrote:

> I understand, I guess do the best you can, sorry you are losing office
> space, if would've have been in NYC, we could have helped you with it :)
>
> I've also sent an email asking for help with scheduled tasks, perhaps
> someone can respond.
>
> Regards
> ilya
>
> > -----Original Message-----
> > From: Ian Duffy [mailto:ian@ianduffy.ie]
> > Sent: Friday, July 26, 2013 1:10 PM
> > To: dev@cloudstack.apache.org
> > Subject: RE: [GSoC] (Screencast/Demo) LDAP user provisioning
> >
> > Hi llya,
> >
> > Apologies in advanced for lack of formatting, currently replying from
> mobile.
> >
> > Those UI features are present in 4.2 under LDAP configuration within
> global
> > settings as far as I am aware. They are buggy if I remember correctly.
> >
> > For deactivating users I haven't looked into it yet and have not sent
> out an
> > email asking for help on creating a scheduled task. It is not included
> within
> > the project proposal so I was leaving it as a 'if I have time at the
> end' type of
> > thing. I lose office space and a decent internet connection come august
> 20th
> > so I'm pushing to get all proposed features done before then.
> >
> > Check out 1:25 such messages exist.
> >
> > Yes has been tested against Apache DS, openldap and active directory.
> I'm a
> > little worried about implementing a member of filter, I've yet to figure
> out
> > how to enable that in openldap, active directory has it by default
> thankfully.
> > You'll need to set your LDAP attributes for active directory within
> global
> > settings, by default they are at POSIX compliant ones... So..
> > User object to user username to samAccountName.
> > On 26 Jul 2013 17:20, "Musayev, Ilya" <im...@webmd.net> wrote:
> >
> > > Ian
> > >
> > > Watched screencast and you did an amazing job! I want to backport this
> > > into my customized 4.1 cloudstack edition called cloudsand. CloudSand
> > > is a hybrid of CloudStack stable version with some urgently needed
> > > features pulled from master to speed up cloudstack adoption by
> > > enterprises. The work you do on LDAP will be a great addition!
> > >
> > > With that said, I have few questions:
> > >
> > > Back several months aqgo, I recall some work done on LDAP where a
> > > patch was introduced to configure LDAP through UI. Not in Global
> > > Settings like you did for basedn, but in separate window where you
> > > defined hostname and port. Would you know what happened to that?
> > > Where do you stand with scheduled task on checking which ldap users
> > > have been deactivated and deactivate them in CS as well?
> > > Also, it would be nice to mention "User XYZ could not be added due to
> > > missing email (or whatever else is missing)".
> > > Have you tried testing this on Windows AD, unfortunately, many
> > > enterprises use Microsoft Active Directory.
> > >
> > > Thank again for improving CloudStack,
> > >
> > > Regards
> > > -ilya
> > >
> > >
> > > > -----Original Message-----
> > > > From: Ian Duffy [mailto:ian@ianduffy.ie]
> > > > Sent: Friday, July 26, 2013 11:52 AM
> > > > To: Sebastien Goasguen; Abhinandan Prateek; CloudStack Dev
> > > > Subject: [GSoC] (Screencast/Demo) LDAP user provisioning
> > > >
> > > > Hi Guys,
> > > >
> > > > The latest patch I uploaded to review board (
> > > > https://reviews.apache.org/r/12969/ ) brings the "LDAP user
> > > provisioning"
> > > > project to a "prototype" stage.
> > > >
> > > > If anybody wants to give feedback the ldapplugin branch should have
> > > > all features shown in the screencast once the above patch is shipped.
> > > > Support still needs to be added for ldap over SSL, memberof filters
> > > > and
> > > only
> > > > show users that exist within ldap but not cloudstack on the add user
> > > screen.
> > > >
> > > > This includes:
> > > >  - A new plugin for configuring ldap, authenticating against LDAP
> > > > and
> > > getting a
> > > > list of users from LDAP.
> > > >  - Modified UI
> > > >        - Global Settings - Global LDAP configuration options.
> > > > BaseDN,
> > > Bind
> > > > username, Bind password, etc.
> > > >        - Global settings -> LDAP Configuration. Lets you add
> > > > multiple
> > > LDAP
> > > > servers for failover support.
> > > >        - Accounts -> Add Account. Brings up a table of LDAP users,
> > > > lets
> > > you select
> > > > one to many LDAP users, set the same domain/network
> > > > domain/timezone/etc. for them and create them.
> > > >
> > > > Quick 2min screencast at
> > > > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing off
> > these
> > > > additions.
> > > >
> > > > This screencast was created using the embedded LDAP server I added
> > > > in for the sake of integration tests. Its based of ApacheDS, and can
> > > > be started
> > > with
> > > >
> > > > mvn -pl plugins/user-authenticators/ldap ldap:run
> > > >
> > > > Thanks for all the help!
> > > > Ian
> > >
> > >
>

RE: [GSoC] (Screencast/Demo) LDAP user provisioning

["Musayev, Ilya" <im...@webmd.net>]

I understand, I guess do the best you can, sorry you are losing office space, if would've have been in NYC, we could have helped you with it :)

I've also sent an email asking for help with scheduled tasks, perhaps someone can respond.

Regards
ilya

> -----Original Message-----
> From: Ian Duffy [mailto:ian@ianduffy.ie]
> Sent: Friday, July 26, 2013 1:10 PM
> To: dev@cloudstack.apache.org
> Subject: RE: [GSoC] (Screencast/Demo) LDAP user provisioning
> 
> Hi llya,
> 
> Apologies in advanced for lack of formatting, currently replying from mobile.
> 
> Those UI features are present in 4.2 under LDAP configuration within global
> settings as far as I am aware. They are buggy if I remember correctly.
> 
> For deactivating users I haven't looked into it yet and have not sent out an
> email asking for help on creating a scheduled task. It is not included within
> the project proposal so I was leaving it as a 'if I have time at the end' type of
> thing. I lose office space and a decent internet connection come august 20th
> so I'm pushing to get all proposed features done before then.
> 
> Check out 1:25 such messages exist.
> 
> Yes has been tested against Apache DS, openldap and active directory. I'm a
> little worried about implementing a member of filter, I've yet to figure out
> how to enable that in openldap, active directory has it by default thankfully.
> You'll need to set your LDAP attributes for active directory within global
> settings, by default they are at POSIX compliant ones... So..
> User object to user username to samAccountName.
> On 26 Jul 2013 17:20, "Musayev, Ilya" <im...@webmd.net> wrote:
> 
> > Ian
> >
> > Watched screencast and you did an amazing job! I want to backport this
> > into my customized 4.1 cloudstack edition called cloudsand. CloudSand
> > is a hybrid of CloudStack stable version with some urgently needed
> > features pulled from master to speed up cloudstack adoption by
> > enterprises. The work you do on LDAP will be a great addition!
> >
> > With that said, I have few questions:
> >
> > Back several months aqgo, I recall some work done on LDAP where a
> > patch was introduced to configure LDAP through UI. Not in Global
> > Settings like you did for basedn, but in separate window where you
> > defined hostname and port. Would you know what happened to that?
> > Where do you stand with scheduled task on checking which ldap users
> > have been deactivated and deactivate them in CS as well?
> > Also, it would be nice to mention "User XYZ could not be added due to
> > missing email (or whatever else is missing)".
> > Have you tried testing this on Windows AD, unfortunately, many
> > enterprises use Microsoft Active Directory.
> >
> > Thank again for improving CloudStack,
> >
> > Regards
> > -ilya
> >
> >
> > > -----Original Message-----
> > > From: Ian Duffy [mailto:ian@ianduffy.ie]
> > > Sent: Friday, July 26, 2013 11:52 AM
> > > To: Sebastien Goasguen; Abhinandan Prateek; CloudStack Dev
> > > Subject: [GSoC] (Screencast/Demo) LDAP user provisioning
> > >
> > > Hi Guys,
> > >
> > > The latest patch I uploaded to review board (
> > > https://reviews.apache.org/r/12969/ ) brings the "LDAP user
> > provisioning"
> > > project to a "prototype" stage.
> > >
> > > If anybody wants to give feedback the ldapplugin branch should have
> > > all features shown in the screencast once the above patch is shipped.
> > > Support still needs to be added for ldap over SSL, memberof filters
> > > and
> > only
> > > show users that exist within ldap but not cloudstack on the add user
> > screen.
> > >
> > > This includes:
> > >  - A new plugin for configuring ldap, authenticating against LDAP
> > > and
> > getting a
> > > list of users from LDAP.
> > >  - Modified UI
> > >        - Global Settings - Global LDAP configuration options.
> > > BaseDN,
> > Bind
> > > username, Bind password, etc.
> > >        - Global settings -> LDAP Configuration. Lets you add
> > > multiple
> > LDAP
> > > servers for failover support.
> > >        - Accounts -> Add Account. Brings up a table of LDAP users,
> > > lets
> > you select
> > > one to many LDAP users, set the same domain/network
> > > domain/timezone/etc. for them and create them.
> > >
> > > Quick 2min screencast at
> > > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing off
> these
> > > additions.
> > >
> > > This screencast was created using the embedded LDAP server I added
> > > in for the sake of integration tests. Its based of ApacheDS, and can
> > > be started
> > with
> > >
> > > mvn -pl plugins/user-authenticators/ldap ldap:run
> > >
> > > Thanks for all the help!
> > > Ian
> >
> >

RE: [GSoC] (Screencast/Demo) LDAP user provisioning

[Ian Duffy <ia...@ianduffy.ie>]

Hi llya,

Apologies in advanced for lack of formatting, currently replying from
mobile.

Those UI features are present in 4.2 under LDAP configuration within global
settings as far as I am aware. They are buggy if I remember correctly.

For deactivating users I haven't looked into it yet and have not sent out
an email asking for help on creating a scheduled task. It is not included
within the project proposal so I was leaving it as a 'if I have time at the
end' type of thing. I lose office space and a decent internet connection
come august 20th so I'm pushing to get all proposed features done before
then.

Check out 1:25 such messages exist.

Yes has been tested against Apache DS, openldap and active directory. I'm a
little worried about implementing a member of filter, I've yet to figure
out how to enable that in openldap, active directory has it by default
thankfully. You'll need to set your LDAP attributes for active directory
within global settings, by default they are at POSIX compliant ones... So..
User object to user username to samAccountName.
On 26 Jul 2013 17:20, "Musayev, Ilya" <im...@webmd.net> wrote:

> Ian
>
> Watched screencast and you did an amazing job! I want to backport this
> into my customized 4.1 cloudstack edition called cloudsand. CloudSand is a
> hybrid of CloudStack stable version with some urgently needed features
> pulled from master to speed up cloudstack adoption by enterprises. The work
> you do on LDAP will be a great addition!
>
> With that said, I have few questions:
>
> Back several months aqgo, I recall some work done on LDAP where a patch
> was introduced to configure LDAP through UI. Not in Global Settings like
> you did for basedn, but in separate window where you defined hostname and
> port. Would you know what happened to that?
> Where do you stand with scheduled task on checking which ldap users have
> been deactivated and deactivate them in CS as well?
> Also, it would be nice to mention "User XYZ could not be added due to
> missing email (or whatever else is missing)".
> Have you tried testing this on Windows AD, unfortunately, many enterprises
> use Microsoft Active Directory.
>
> Thank again for improving CloudStack,
>
> Regards
> -ilya
>
>
> > -----Original Message-----
> > From: Ian Duffy [mailto:ian@ianduffy.ie]
> > Sent: Friday, July 26, 2013 11:52 AM
> > To: Sebastien Goasguen; Abhinandan Prateek; CloudStack Dev
> > Subject: [GSoC] (Screencast/Demo) LDAP user provisioning
> >
> > Hi Guys,
> >
> > The latest patch I uploaded to review board (
> > https://reviews.apache.org/r/12969/ ) brings the "LDAP user
> provisioning"
> > project to a "prototype" stage.
> >
> > If anybody wants to give feedback the ldapplugin branch should have all
> > features shown in the screencast once the above patch is shipped.
> > Support still needs to be added for ldap over SSL, memberof filters and
> only
> > show users that exist within ldap but not cloudstack on the add user
> screen.
> >
> > This includes:
> >  - A new plugin for configuring ldap, authenticating against LDAP and
> getting a
> > list of users from LDAP.
> >  - Modified UI
> >        - Global Settings - Global LDAP configuration options. BaseDN,
> Bind
> > username, Bind password, etc.
> >        - Global settings -> LDAP Configuration. Lets you add multiple
> LDAP
> > servers for failover support.
> >        - Accounts -> Add Account. Brings up a table of LDAP users, lets
> you select
> > one to many LDAP users, set the same domain/network
> > domain/timezone/etc. for them and create them.
> >
> > Quick 2min screencast at
> > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing off these
> > additions.
> >
> > This screencast was created using the embedded LDAP server I added in for
> > the sake of integration tests. Its based of ApacheDS, and can be started
> with
> >
> > mvn -pl plugins/user-authenticators/ldap ldap:run
> >
> > Thanks for all the help!
> > Ian
>
>

RE: [GSoC] (Screencast/Demo) LDAP user provisioning

["Musayev, Ilya" <im...@webmd.net>]

Ian

Watched screencast and you did an amazing job! I want to backport this into my customized 4.1 cloudstack edition called cloudsand. CloudSand is a hybrid of CloudStack stable version with some urgently needed features pulled from master to speed up cloudstack adoption by enterprises. The work you do on LDAP will be a great addition!

With that said, I have few questions:

Back several months aqgo, I recall some work done on LDAP where a patch was introduced to configure LDAP through UI. Not in Global Settings like you did for basedn, but in separate window where you defined hostname and port. Would you know what happened to that?
Where do you stand with scheduled task on checking which ldap users have been deactivated and deactivate them in CS as well?
Also, it would be nice to mention "User XYZ could not be added due to missing email (or whatever else is missing)".
Have you tried testing this on Windows AD, unfortunately, many enterprises use Microsoft Active Directory.

Thank again for improving CloudStack,

Regards
-ilya


> -----Original Message-----
> From: Ian Duffy [mailto:ian@ianduffy.ie]
> Sent: Friday, July 26, 2013 11:52 AM
> To: Sebastien Goasguen; Abhinandan Prateek; CloudStack Dev
> Subject: [GSoC] (Screencast/Demo) LDAP user provisioning
> 
> Hi Guys,
> 
> The latest patch I uploaded to review board (
> https://reviews.apache.org/r/12969/ ) brings the "LDAP user provisioning"
> project to a "prototype" stage.
> 
> If anybody wants to give feedback the ldapplugin branch should have all
> features shown in the screencast once the above patch is shipped.
> Support still needs to be added for ldap over SSL, memberof filters and only
> show users that exist within ldap but not cloudstack on the add user screen.
> 
> This includes:
>  - A new plugin for configuring ldap, authenticating against LDAP and getting a
> list of users from LDAP.
>  - Modified UI
>        - Global Settings - Global LDAP configuration options. BaseDN, Bind
> username, Bind password, etc.
>        - Global settings -> LDAP Configuration. Lets you add multiple LDAP
> servers for failover support.
>        - Accounts -> Add Account. Brings up a table of LDAP users, lets you select
> one to many LDAP users, set the same domain/network
> domain/timezone/etc. for them and create them.
> 
> Quick 2min screencast at
> https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 showing off these
> additions.
> 
> This screencast was created using the embedded LDAP server I added in for
> the sake of integration tests. Its based of ApacheDS, and can be started with
> 
> mvn -pl plugins/user-authenticators/ldap ldap:run
> 
> Thanks for all the help!
> Ian