Enhanced like LDAP support (Amazon Like)
|Category:||Drivers - Auth|
I would like to propose the following mechanism for LDAP support:
- Users would only be able to login to Sunstone and Self Service with the LDAP password
- A new tab would be available for credential management
- The tab would allow the user to generate his credentials to be used with EC2 and OCCI (Access key, Secret Access Key, OCCI, x509)
- The tab would have the user keypairs (like Amazon keypairs, to be used on instances)
- Every time a user tries an operation, with any of his credentials, OpenNebula would check with LDAP if the user account is still available, or fi the user is still a member of a group, etc (so, LDAP authorization only for credentials)
- OpenNebula Admin would be able to set and expire period, or to manually expire the user credentials.
This is very similiar to how Amazon and CloudStack works, and would support all the frontends. It would also enhance the "bootstrap" process for a user account. No admin intervention would be required other then maybe add the user to a group in LDAP.