A look at Citrix Cloud Platform LDAP authentication options

A look at Citrix Cloud Platform LDAP authentication options

10:04 PM
A look at Citrix Cloud Platform LDAP authentication options -

LDAP, as its name implies, is a lightweight protocol for accessing directory services. You can use any external LDAP server such as Microsoft Active Directory or ApacheDS or openLDAP Cloud Platform to authenticate users. Once configured to authenticate users, Cloud Platform will query to the external LDAP server the specified user name / password and the preconfigured settings. LDAP users can coexist with the native user Cloud Platform.

Enabling LDAP Integration

First, we need to inform Cloud Platform via the LDAP server and configurations, they can use. It is a two-step process.

to go

LDAP Global Settings

global setting and for the LDAP search. Here is a screenshot of the settings that I used in my lab for Microsoft AD

settings-screen1

The following global configurations should also be configured that way.

  • ldap.basedn : Sets the basedn for LDAP. Ex: OU = APAC, DC = company, DC = com
  • ldap.bind.principal ldap.bind.password : DN and password for a user, all users in the list can basedn above. Ex: CN = Administrator, OU = APAC, DC = company, DC = com
  • ldap.user.object : type of users within LDAP. The default value is user for AD and interorgperson for OpenLDAP.
  • ldap.email.attribute : E-mail attribute within ldap for a user. The default value for AD and OpenLDAP is mail
  • ldap.firstname.attribute :. First name attribute within ldap for a user. The default value for AD and OpenLDAP is given
  • ldap.lastname.attribute :. Surname attribute within ldap for a user. The default value for AD and OpenLDAP is sn
  • ldap.username.attribute :. User Name attribute for a user within LDAP. The default value is SAMAccountName ldap.nested.groups.enable for AD and uid for OpenLDAP
  • :. If they are true, nested groups will also (this is specific to Microsoft AD) are queried
  • ldap.provider : LDAP provider. ex: openldap, microsoftad
  • ldap.read.timeout:. LDAP connection timeout in milli seconds The default is 1000
  • ldap.request.page. size: page size sent on each request to the LDAP server. The default value is 1000

Restricting the LDAP user to a group: ldap.search.group.principle

  • : this is optional and set if only from this group users listed

LDAP SSL .:

when the LDAP server requires SSL, you need to allow the following configurations.

Before enable SSL for LDAP, you must obtain the certificate that is used the LDAP server and add it to the trusted key store. You need to know the path to the key store and password

  • ldap.truststore : .- trust path
  • ldap.truststore.password : password-confidence

LDAP groups:

  • ldap.group.object : type of groups within LDAP. The default value is set for AD and groupOfUniqueNames for OpenLDAP
  • ldap.group.user.uniquemember :. Attribute for unique members within a group. The default value is Member for AD and unique for OpenLDAP.

LDAP server configuration

call the CloudStack API command addLdapConfiguration and provide host name or IP address and listening port of the LDAP server. You could also configure multiple servers. These are expected to be replicas. If one fails, the next one will be.

You could do the same UI. select the LDAP configuration drop in global settings and click "Settings for LDAP" click.

Screen Shot 2015-10-29 at 3.10.27 pm

Importing user to Cloud Platform

Once LDAP configured successfully on the account page, you will see a new "LDAP account" button as below

Screen Shot 2015-10-29 at 3.18.10 pm

If you click on it, you will be able to see the dialog box that you can either selectively import users to a domain in Cloud Platform or bulk import all the users in LDAP group (enter through the LDAP group name in the LDAP group text box below) to a domain in Cloud Platform. The two api calls that are used herein are ldapCreateAccount (single account creation) and importLdapUsers (bulk import)

Screen Shot 2015-10-29 at 3.20.07 pm

on successfully import users, the user can be used with their LDAP user name and password to login to Cloud Platform. Each password / account change in LDAP should be considered here and account should not be allowed to access the Cloud Platform since it every time, LDAP queries for authentication and does not store anything on the Cloud Platform.

confidence LDAP or Link Cloud Platform Domain to LDAP

The method described above a manual step by the administrator is required to import the user to Cloud Platform. Only then the user would be signing Cloud Platform. With Hollywood release in Citrix Cloud Platform and Apache CloudStack 4.6, to connect its now possible Cloud Platform domains to a group or OU in LDAP. A new API linkDomainToLdap is used to achieve the same. It can also be called from UI domain registry, as shown in the figure below (in red Green button higlighted).

Screen Shot 2015-10-29 at 3.30.56 pm

Click the button, you will be presented with a dialog as shown below.

Screen Shot 2015-10-29 at 3.37.20 pm

There are options you fully qualified name of the LDAP group to enter / OU, the account type for the imported users and an option to use Domain Admin username for the domain. On the domain link successfully, all LDAP users are in the configured group / OU log automatically Cloud Platform can. All deleted / disabled users in LDAP unable to be signin and all newly added user can signin import automatically without the step of manually.

Next
« Prev Post
Previous
Next Post »
0 Komentar

Subscribe to: Post Comments (Atom)