[X2go-dev] LDAP integration call for help
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Jun 30 15:10:56 CEST 2010
On Wed, 2010-06-30 at 13:11 +0200, Mike Gabriel wrote:
> Hi there,
>
> after havine played with x2goserver-one/sqlite for a while I am
> testing x2goserver with LDAP/Postgres setup.
>
> The Postgres setup was easy, thanks to the wiki (there are some
> essential typos in the wiki page, I have registered with the wiki to
> fix them).
>
> But LDAP...
>
> My very first impression is - and maybe I am wrong - that the
> LDAP-Server setup is far to rigid (I will speak openly).
>
> I use x2go over the internet, thus every connection I make has to be
> encrypted and needs authentication.
>
>
> 1. LDAPS support
> the x2goclient does not support LDAPS... Does it support StartTLS
> somewhere hidden in its guts? Otherwise, LDAPS is definitely an item
> for the x2go wishlist
>
>
> 2. LDAP Auth
> the x2goclient does not support LDAP auth. At least simple_bind_s
> should be possible... -> wishlist. When exactly does the x2goclient
> access the LDAP db? I suppose before authentication to one of the
> x2goservers. I wonder, if LDAP access was possible to also tunnel LDAP
> access through ssh... (i.e. after session login).
>
>
> 3. Documentation of Internas
> The LDAP scripts in the x2goldaptools package help to setup an LDAP
> server from scratch. This is not what people might want if they
> migrate a site. For site migration to x2go without help of your setup
> scripts the internas of the LDAP communication/data storage methods
> must be documented better (e.g. difference between server and host in
> LDAP -> serial = 1, scratchscratch...).
>
>
> 4. Admin DN...
> The migration/setup scripts pre-requisite cn=ldapadmin,$BASE as admin
> DN. This is too rigid! There is a config file for LDAP settings
> (/etc/x2go/x2goldaptools.conf). This one should be used for putting
> information on the LDAP database.
>
>
> 5. Admin DN secret...
> The migration tools take the LDAP admin password from
> /etc/libnss_ldap.secret. Also the ldap secret should be retrieved from
> /etc/x2go/x2goldaptools.conf, or even better from a
> /etc/x2go/x2goldaptools.secret file (0600:root:root). It might well be
> that people setup a special x2goadmin account in LDAP for the purpose
> of administrating x2go relevant LDAP-objects.
>
>
> 6. LDAP storage structures
> Really big organizations group there LDAP data into ous. One ou for
> one department at work (e.g. ou=sales,$BASE; ou=management,$BASE;
> etc.). Within these ous they store sub-ous like group, people, hosts
> etc. Sometimes they even have ou based Administrators.
>
> cn=admin,ou=sales,$BASE
> ou=people,ou=sales,$BASE
> ou=group,ou=sales,$BASE
> ou=hosts,ou=sales,$BASE
>
> cn=admin,ou=support,$BASE
> ou=people,ou=support,$BASE
> ou=group,ou=support,$BASE
> ou=hosts,ou=support,$BASE
>
> ...
>
> This is an approach the system and user management software GOsa²
> goes, also AD structures often look like this.
>
> I wonder if x2go is flexible enough to handle structures like these...
>
>
> 7. Active Directory
> This might be overkill now, but has anyone tried to store x2go users,
> hosts and groups in AD??? With support of winbind, maybe?
>
>
> 8. Why LDAP?
> Could anyone explain me, what x2go explicitly needs LDAP for? What
> information is stored in LDAP that could not be replaced by any other
> libnss services. (Has anyone ever thought to use netgroups and
> pam_access for machine access control, BTW?).
>
>
> 9. Load-Balancing
> Could also anyone hint to me, how load-balancing in multi-server setup
> works with x2go? I guess this question is related to LDAP...
>
>
> Loads of questions, sorry, but I couldn't get LDAP functionality
> running out of the box with my already existing LDAP setup.
<snip>
Thanks for articulating this. We would also like to see some growth in
LDAP. We use RedHat's DS and have shied away from X2Go/LDAP for both
lack of time to unravel it and because it appeared a little too rigid at
first glance. I'll be quite interested in what you find - John
More information about the x2go-dev
mailing list