You can use the Eucalyptus LDAP/Active Directory (AD) integration to
synchronize existing LDAP/AD user and group information with
Eucalyptus. When you enable LDAP/AD synchronization, Eucalyptus does
the following:
- Imports specified user and group information from LDAP or AD and
maps them into a predefined two-tier account/group/user
structure
- Authenticates Eucalyptus Administrator Console users through the
connected LDAP or AD service
Note that Eucalyptus only imports the identities and some related
information. Any Eucalyptus-specific attributes are still managed
from Eucalyptus. These include:
- User credentials: secret access keys and X.509 certificates. The
Eucalyptus Administrator Console login password is an exception.
Eucalyptus does not download passwords from LDAP/AD and does not
save them either. Eucalyptus authenticates Eucalyptus
Administrator Console logins directly through LDAP/AD, using
LDAP/AD authentication (simple or SASL).
- Policies: IAM policies and quotas. Policies are associated with
identities within Eucalyptus, and stored in internal
database.
Also note that special identities, including system administrators
and account administrators, are created in Eucalyptus and not
imported from LDAP/AD. Only normal user identities are imported.
