[X2go-dev] LDAP integration call for help
Mike Gabriel
m.gabriel at das-netzwerkteam.de
Wed Jun 30 13:11:34 CEST 2010
Hi there,
after havine played with x2goserver-one/sqlite for a while I am
testing x2goserver with LDAP/Postgres setup.
The Postgres setup was easy, thanks to the wiki (there are some
essential typos in the wiki page, I have registered with the wiki to
fix them).
But LDAP...
My very first impression is - and maybe I am wrong - that the
LDAP-Server setup is far to rigid (I will speak openly).
I use x2go over the internet, thus every connection I make has to be
encrypted and needs authentication.
1. LDAPS support
the x2goclient does not support LDAPS... Does it support StartTLS
somewhere hidden in its guts? Otherwise, LDAPS is definitely an item
for the x2go wishlist
2. LDAP Auth
the x2goclient does not support LDAP auth. At least simple_bind_s
should be possible... -> wishlist. When exactly does the x2goclient
access the LDAP db? I suppose before authentication to one of the
x2goservers. I wonder, if LDAP access was possible to also tunnel LDAP
access through ssh... (i.e. after session login).
3. Documentation of Internas
The LDAP scripts in the x2goldaptools package help to setup an LDAP
server from scratch. This is not what people might want if they
migrate a site. For site migration to x2go without help of your setup
scripts the internas of the LDAP communication/data storage methods
must be documented better (e.g. difference between server and host in
LDAP -> serial = 1, scratchscratch...).
4. Admin DN...
The migration/setup scripts pre-requisite cn=ldapadmin,$BASE as admin
DN. This is too rigid! There is a config file for LDAP settings
(/etc/x2go/x2goldaptools.conf). This one should be used for putting
information on the LDAP database.
5. Admin DN secret...
The migration tools take the LDAP admin password from
/etc/libnss_ldap.secret. Also the ldap secret should be retrieved from
/etc/x2go/x2goldaptools.conf, or even better from a
/etc/x2go/x2goldaptools.secret file (0600:root:root). It might well be
that people setup a special x2goadmin account in LDAP for the purpose
of administrating x2go relevant LDAP-objects.
6. LDAP storage structures
Really big organizations group there LDAP data into ous. One ou for
one department at work (e.g. ou=sales,$BASE; ou=management,$BASE;
etc.). Within these ous they store sub-ous like group, people, hosts
etc. Sometimes they even have ou based Administrators.
cn=admin,ou=sales,$BASE
ou=people,ou=sales,$BASE
ou=group,ou=sales,$BASE
ou=hosts,ou=sales,$BASE
cn=admin,ou=support,$BASE
ou=people,ou=support,$BASE
ou=group,ou=support,$BASE
ou=hosts,ou=support,$BASE
...
This is an approach the system and user management software GOsa²
goes, also AD structures often look like this.
I wonder if x2go is flexible enough to handle structures like these...
7. Active Directory
This might be overkill now, but has anyone tried to store x2go users,
hosts and groups in AD??? With support of winbind, maybe?
8. Why LDAP?
Could anyone explain me, what x2go explicitly needs LDAP for? What
information is stored in LDAP that could not be replaced by any other
libnss services. (Has anyone ever thought to use netgroups and
pam_access for machine access control, BTW?).
9. Load-Balancing
Could also anyone hint to me, how load-balancing in multi-server setup
works with x2go? I guess this question is related to LDAP...
Loads of questions, sorry, but I couldn't get LDAP functionality
running out of the box with my already existing LDAP setup.
Thanks a lot to whoever replies here!!!
Mike
--
DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419
eMail-LeseSchreibStunde: wochentags 8h-10h
mail: m.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
More information about the x2go-dev
mailing list