Enable LDAP authentication for Cloudstack

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. LDAP is an IETF Standard Track protocol and is specified in “Lightweight Directory Access Protocol (LDAP).

You can use an external LDAP server such as Microsoft Active Directory or ApacheDS or openLDAP to authenticate CloudStack end-users. CloudStack will search the external LDAP directory tree starting at a specified base directory and gets user info such as first name, last name, email and username.

cloudstack LDAP

I have used the following setup to authenticate cloudstack from the openldap directory. This has been successfully tested with cloudstack 4.4.2.


Install openLDAP on CentOS server

#yum install openldap openldap-clients openldap-servers
#cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

copy the result of that command

#vi /etc/openldap/slapd.conf

change your
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=cloudstack,dc=com” read
by * none
by * write
database bdb
suffix “dc=cloudstack,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=cloudstack,dc=com”

#paste slappasswd command result
rootpw {SSHA}pAQ8d8G3zH8rjbwKdQWBS9mS27fHJPuf
#rm -rf /var/lib/ldap/*

#rm -rf /etc/openldap/slapd.d/*

#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#chown -Rf ldap. /etc/openldap/slapd.d/

#chown -Rf ldap. /var/lib/ldap/

#chmod 700 /var/lib/ldap/

#chmod 700 /etc/openldap/slapd.d/

#/etc/init.d/slapd restart

#slaptest -u

#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
Add openldap schema for cloudstack
vi cloudstack.ldif

# fogpanel.com
dn: dc=fogpanel,dc=com
objectClass: dcObject
objectClass: organization
o: fogpanel Company
dc: fogpanel

# admin, fogpanel.com
dn: cn=admin,dc=fogpanel,dc=com
cn: admin
objectClass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword:: bDN0bTNpbg==

# Users, fogpanel.com
dn: ou=Users,dc=fogpanel,dc=com
ou: Users
objectClass: organizationalUnit
objectClass: top

# gopal, Users, fogpanel.com
dn: cn=gopal,ou=Users,dc=fogpanel,dc=com
uid: gopal
sn: gopal
userPassword:: bDN0bTNpbg==
cn: gopal
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
mail: [email protected]
givenName: gopal

# user1, Users, fogpanel.com
dn: cn=user1,ou=Users,dc=fogpanel,dc=com
uid: user1
sn: user1
userPassword:: bDN0bTNpbg==
cn: user1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top

# admin, Users, fogpanel.com
dn: cn=admin,ou=Users,dc=fogpanel,dc=com
uid: admin
sn: admin
userPassword:: Zm9ncGFuZWxhbWFs
cn: admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top

#ldapadd -x -W -D “cn=Manager,dc=cloudstack,dc=com” -f cloudstack.ldif
Once completed, login your cloudstack and given the Global settings ldap configurations.

ldap.basedn : ou=Users,dc=fogpanel,dc=com

ldap.bind.password : <password>

ldap.bind.principal : cn=Manager,dc=fogpanel,dc=com

ldap.email.attribute : mail

ldap.firstname.attribute : givenName

ldap.lastname.attribute : sn

ldap.username.attribute : uid

ldap.user.object : inetOrgPerson

Done!! click – > Global Settings – > Select View : LDAP configuration -> click Configure LDAP

example settings

Hostname :
port : 389

Thats all!!!
Click cloudstack – > Accounts -> LDAP account

You can create ldap account through cloudstack and give user role.