We have deployed vcloud director 5.5 and created some ORG VDC's. The base LDAP is a windows 2012 AD domain and created users that can access the ORG VDC just fine. There seems to be a security concern however that when you are logged in as one of these users to their ORG VDC and you go to administration tab and select the groups it seems that if you click search it will list out every group in the domain. Is there a way to restrict the search to limit it to groups only in a specific OU? The idea being if we have several different customers and created separate OU's for each of them and then populated those OU's with users strictly for the respective groups then we could have a single AD domain and fence off one customer from another by preventing them from browsing eachothers groups as well as the entire active directory. Now granted we could setup a custom LDAP and have different domains per customer or connect to their own AD if they have one but seems like it would be easier to centralize it under 1 AD we control. To clarify the existing setup let me outline the settings below
AD domain users and groups
Default domain: test.local dc=test,dc=local
new OU within domain : customer1 ou=customer1,dc=test,dc=local
new group in new OU: customergroup1 CN=customergroup1,OU=customer1,dc=test,dc=local
| User in new OU: | cust1admin |
cust1admin has the rights of Organizational Administrator in the ORG VDC
LDAP settings within vcloud director
Provider VDC LDAP setting Base Distinguished Name: dc=test,dc=local
Customer1 ORG VDC Distinguished Name for OU: OU=customer1,dc=test,dc=local
So with the above setup the issue is if cust1admin accesses his ORG VDC and under administration/groups he can perform a search and will get a list of all the AD groups in the test.local ( Domain admins, customer2, customer2...etc) and not just the customergroup1 created within the customer1 OU