[X2go-dev] LDAP integration call for help

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Jun 30 15:10:56 CEST 2010 

On Wed, 2010-06-30 at 13:11 +0200, Mike Gabriel wrote:
> Hi there,
> 
> after havine played with x2goserver-one/sqlite for a while I am  
> testing x2goserver with LDAP/Postgres setup.
> 
> The Postgres setup was easy, thanks to the wiki (there are some  
> essential typos in the wiki page, I have registered with the wiki to  
> fix them).
> 
> But LDAP...
> 
> My very first impression is - and maybe I am wrong - that the  
> LDAP-Server setup is far to rigid (I will speak openly).
> 
> I use x2go over the internet, thus every connection I make has to be  
> encrypted and needs authentication.
> 
> 
> 1. LDAPS support
> the x2goclient does not support LDAPS... Does it support StartTLS  
> somewhere hidden in its guts? Otherwise, LDAPS is definitely an item  
> for the x2go wishlist
> 
> 
> 2. LDAP Auth
> the x2goclient does not support LDAP auth. At least simple_bind_s  
> should be possible... -> wishlist. When exactly does the x2goclient  
> access the LDAP db? I suppose before authentication to one of the  
> x2goservers. I wonder, if LDAP access was possible to also tunnel LDAP  
> access through ssh... (i.e. after session login).
> 
> 
> 3. Documentation of Internas
> The LDAP scripts in the x2goldaptools package help to setup an LDAP  
> server from scratch. This is not what people might want if they  
> migrate a site. For site migration to x2go without help of your setup  
> scripts the internas of the LDAP communication/data storage methods  
> must be documented better (e.g. difference between server and host in  
> LDAP -> serial = 1, scratchscratch...).
> 
> 
> 4. Admin DN...
> The migration/setup scripts pre-requisite cn=ldapadmin,$BASE as admin  
> DN. This is too rigid! There is a config file for LDAP settings  
> (/etc/x2go/x2goldaptools.conf). This one should be used for putting  
> information on the LDAP database.
> 
> 
> 5. Admin DN secret...
> The migration tools take the LDAP admin password from  
> /etc/libnss_ldap.secret. Also the ldap secret should be retrieved from  
> /etc/x2go/x2goldaptools.conf, or even better from a  
> /etc/x2go/x2goldaptools.secret file (0600:root:root). It might well be  
> that people setup a special x2goadmin account in LDAP for the purpose  
> of administrating x2go relevant LDAP-objects.
> 
> 
> 6. LDAP storage structures
> Really big organizations group there LDAP data into ous. One ou for  
> one department at work (e.g. ou=sales,$BASE; ou=management,$BASE;  
> etc.). Within these ous they store sub-ous like group, people, hosts  
> etc. Sometimes they even have ou based Administrators.
> 
>    cn=admin,ou=sales,$BASE
>    ou=people,ou=sales,$BASE
>    ou=group,ou=sales,$BASE
>    ou=hosts,ou=sales,$BASE
> 
>    cn=admin,ou=support,$BASE
>    ou=people,ou=support,$BASE
>    ou=group,ou=support,$BASE
>    ou=hosts,ou=support,$BASE
> 
>    ...
> 
> This is an approach the system and user management software GOsa²  
> goes, also AD structures often look like this.
> 
> I wonder if x2go is flexible enough to handle structures like these...
> 
> 
> 7. Active Directory
> This might be overkill now, but has anyone tried to store x2go users,  
> hosts and groups in AD??? With support of winbind, maybe?
> 
> 
> 8. Why LDAP?
> Could anyone explain me, what x2go explicitly needs LDAP for? What  
> information is stored in LDAP that could not be replaced by any other  
> libnss services. (Has anyone ever thought to use netgroups and  
> pam_access for machine access control, BTW?).
> 
> 
> 9. Load-Balancing
> Could also anyone hint to me, how load-balancing in multi-server setup  
> works with x2go? I guess this question is related to LDAP...
> 
> 
> Loads of questions, sorry, but I couldn't get LDAP functionality  
> running out of the box with my already existing LDAP setup.
<snip>
Thanks for articulating this.  We would also like to see some growth in
LDAP.  We use RedHat's DS and have shied away from X2Go/LDAP for both
lack of time to unravel it and because it appeared a little too rigid at
first glance.  I'll be quite interested in what you find - John

More information about the x2go-dev mailing list