On Wed, 2010-06-30 at 13:11 +0200, Mike Gabriel wrote: > Hi there, > > after havine played with x2goserver-one/sqlite for a while I am > testing x2goserver with LDAP/Postgres setup. > > The Postgres setup was easy, thanks to the wiki (there are some > essential typos in the wiki page, I have registered with the wiki to > fix them). > > But LDAP... > > My very first impression is - and maybe I am wrong - that the > LDAP-Server setup is far to rigid (I will speak openly). > > I use x2go over the internet, thus every connection I make has to be > encrypted and needs authentication. > > > 1. LDAPS support > the x2goclient does not support LDAPS... Does it support StartTLS > somewhere hidden in its guts? Otherwise, LDAPS is definitely an item > for the x2go wishlist > > > 2. LDAP Auth > the x2goclient does not support LDAP auth. At least simple_bind_s > should be possible... -> wishlist. When exactly does the x2goclient > access the LDAP db? I suppose before authentication to one of the > x2goservers. I wonder, if LDAP access was possible to also tunnel LDAP > access through ssh... (i.e. after session login). > > > 3. Documentation of Internas > The LDAP scripts in the x2goldaptools package help to setup an LDAP > server from scratch. This is not what people might want if they > migrate a site. For site migration to x2go without help of your setup > scripts the internas of the LDAP communication/data storage methods > must be documented better (e.g. difference between server and host in > LDAP -> serial = 1, scratchscratch...). > > > 4. Admin DN... > The migration/setup scripts pre-requisite cn=ldapadmin,$BASE as admin > DN. This is too rigid! There is a config file for LDAP settings > (/etc/x2go/x2goldaptools.conf). This one should be used for putting > information on the LDAP database. > > > 5. Admin DN secret... > The migration tools take the LDAP admin password from > /etc/libnss_ldap.secret. Also the ldap secret should be retrieved from > /etc/x2go/x2goldaptools.conf, or even better from a > /etc/x2go/x2goldaptools.secret file (0600:root:root). It might well be > that people setup a special x2goadmin account in LDAP for the purpose > of administrating x2go relevant LDAP-objects. > > > 6. LDAP storage structures > Really big organizations group there LDAP data into ous. One ou for > one department at work (e.g. ou=sales,$BASE; ou=management,$BASE; > etc.). Within these ous they store sub-ous like group, people, hosts > etc. Sometimes they even have ou based Administrators. > > cn=admin,ou=sales,$BASE > ou=people,ou=sales,$BASE > ou=group,ou=sales,$BASE > ou=hosts,ou=sales,$BASE > > cn=admin,ou=support,$BASE > ou=people,ou=support,$BASE > ou=group,ou=support,$BASE > ou=hosts,ou=support,$BASE > > ... > > This is an approach the system and user management software GOsa² > goes, also AD structures often look like this. > > I wonder if x2go is flexible enough to handle structures like these... > > > 7. Active Directory > This might be overkill now, but has anyone tried to store x2go users, > hosts and groups in AD??? With support of winbind, maybe? > > > 8. Why LDAP? > Could anyone explain me, what x2go explicitly needs LDAP for? What > information is stored in LDAP that could not be replaced by any other > libnss services. (Has anyone ever thought to use netgroups and > pam_access for machine access control, BTW?). > > > 9. Load-Balancing > Could also anyone hint to me, how load-balancing in multi-server setup > works with x2go? I guess this question is related to LDAP... > > > Loads of questions, sorry, but I couldn't get LDAP functionality > running out of the box with my already existing LDAP setup. <snip> Thanks for articulating this. We would also like to see some growth in LDAP. We use RedHat's DS and have shied away from X2Go/LDAP for both lack of time to unravel it and because it appeared a little too rigid at first glance. I'll be quite interested in what you find - John
_______________________________________________ X2go-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
