[X2go-dev] LDAP integration call for help

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Jun 30 15:10:56 CEST 2010

On Wed, 2010-06-30 at 13:11 +0200, Mike Gabriel wrote:
> Hi there,
> after havine played with x2goserver-one/sqlite for a while I am  
> testing x2goserver with LDAP/Postgres setup.
> The Postgres setup was easy, thanks to the wiki (there are some  
> essential typos in the wiki page, I have registered with the wiki to  
> fix them).
> But LDAP...
> My very first impression is - and maybe I am wrong - that the  
> LDAP-Server setup is far to rigid (I will speak openly).
> I use x2go over the internet, thus every connection I make has to be  
> encrypted and needs authentication.
> 1. LDAPS support
> the x2goclient does not support LDAPS... Does it support StartTLS  
> somewhere hidden in its guts? Otherwise, LDAPS is definitely an item  
> for the x2go wishlist
> 2. LDAP Auth
> the x2goclient does not support LDAP auth. At least simple_bind_s  
> should be possible... -> wishlist. When exactly does the x2goclient  
> access the LDAP db? I suppose before authentication to one of the  
> x2goservers. I wonder, if LDAP access was possible to also tunnel LDAP  
> access through ssh... (i.e. after session login).
> 3. Documentation of Internas
> The LDAP scripts in the x2goldaptools package help to setup an LDAP  
> server from scratch. This is not what people might want if they  
> migrate a site. For site migration to x2go without help of your setup  
> scripts the internas of the LDAP communication/data storage methods  
> must be documented better (e.g. difference between server and host in  
> LDAP -> serial = 1, scratchscratch...).
> 4. Admin DN...
> The migration/setup scripts pre-requisite cn=ldapadmin,$BASE as admin  
> DN. This is too rigid! There is a config file for LDAP settings  
> (/etc/x2go/x2goldaptools.conf). This one should be used for putting  
> information on the LDAP database.
> 5. Admin DN secret...
> The migration tools take the LDAP admin password from  
> /etc/libnss_ldap.secret. Also the ldap secret should be retrieved from  
> /etc/x2go/x2goldaptools.conf, or even better from a  
> /etc/x2go/x2goldaptools.secret file (0600:root:root). It might well be  
> that people setup a special x2goadmin account in LDAP for the purpose  
> of administrating x2go relevant LDAP-objects.
> 6. LDAP storage structures
> Really big organizations group there LDAP data into ous. One ou for  
> one department at work (e.g. ou=sales,$BASE; ou=management,$BASE;  
> etc.). Within these ous they store sub-ous like group, people, hosts  
> etc. Sometimes they even have ou based Administrators.
>    cn=admin,ou=sales,$BASE
>    ou=people,ou=sales,$BASE
>    ou=group,ou=sales,$BASE
>    ou=hosts,ou=sales,$BASE
>    cn=admin,ou=support,$BASE
>    ou=people,ou=support,$BASE
>    ou=group,ou=support,$BASE
>    ou=hosts,ou=support,$BASE
>    ...
> This is an approach the system and user management software GOsa²  
> goes, also AD structures often look like this.
> I wonder if x2go is flexible enough to handle structures like these...
> 7. Active Directory
> This might be overkill now, but has anyone tried to store x2go users,  
> hosts and groups in AD??? With support of winbind, maybe?
> 8. Why LDAP?
> Could anyone explain me, what x2go explicitly needs LDAP for? What  
> information is stored in LDAP that could not be replaced by any other  
> libnss services. (Has anyone ever thought to use netgroups and  
> pam_access for machine access control, BTW?).
> 9. Load-Balancing
> Could also anyone hint to me, how load-balancing in multi-server setup  
> works with x2go? I guess this question is related to LDAP...
> Loads of questions, sorry, but I couldn't get LDAP functionality  
> running out of the box with my already existing LDAP setup.
Thanks for articulating this.  We would also like to see some growth in
LDAP.  We use RedHat's DS and have shied away from X2Go/LDAP for both
lack of time to unravel it and because it appeared a little too rigid at
first glance.  I'll be quite interested in what you find - John

More information about the x2go-dev mailing list