Redirect rules to nodes do not work

Forum / NoMachine Cloud Server Products / Redirect rules to nodes do not work

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #4312
    esarmien
    Participant

    Hi,

    We currently have three classes of users: ‘vnc’, ‘ksg’, and ‘edlabs.’ The VNC should only be able to connect to terminal nodes rce6-1..rce6-3:4000, KSG to ksg6-1..ksg6-2:4000 and edlabs to edlabs-1:4000. We currently have these nodes added in a multi-node setup. I wanted to test user and group re-direction. The first thing I noticed is that NX4 does not support LDAP groups for redirecting- for example, in our setup, the LDAP groups ‘ksg’, ‘vnc’, and ‘admin’ already exist, but NX is not aware of them for this purpose (but is for logging in and SSH auth)

    So I tried the following-
    /usr/NX/bin/nxserver –groupadd admin –redirect rce6-1.priv.hmdc.harvard.edu:4000

    /usr/NX/bin/nserver –useradd esarmien –group admin

    This appeared to work. I added my own username to the group ‘admin’, It didn’t require that I set a password because I have an LDAP password. However when I login, I am not redirected to rce6-1.priv, it still uses round-robin to select a login node.

    Am I doing something wrong?

    Best,

    Evan

    #4315
    Haven
    Participant

    Hello esarmien,

    Group redirect will not work in this case, because it it designed to redirect player connections directly to other host and ‘terminal nodes’ cannot be accessed directly.

    The solution can be to disable other nodes for specific group:

    nxserver –ruleadd –class=node –type=<host>:<port> –value=no –group=<group name>

    #4342
    esarmien
    Participant

    Hi Haven,

    That doesn’t make any sense. I want to be able to forward specific group of users to a set of terminal nodes.

    I shouldn’t have to make a group called ‘ksg’, and then for every host that isn’t a ‘ksg’ terminal node, run a command, that would be a bit insane. Check this problem out:

    I have the following nodes:

    ksg6-1

    ksg6-2

    rce6-1

    rce6-2

     

    If I want the group ksg to be able to access ksg6-1 and ksg6-2, but not rce6-1 and rce6-2, I have to say

    nxserver –ruleadd –class=node –type=rce6-1.hmdc.harvard.edu:4000 –value=no –group=ksg

    nxserver –ruleadd –class=node –type=rce6-2.hmdc.harvard.edu:4000 –value=no –group=ksg

    But, what happens if I add more rce nodes, like rce6-3? I have to continue to add these rules, why can’t I do something like this?

    nxserver –ruleadd –class=node –type=ksg6-1.hmdc.harvard.edu:4000 –value=only –group=ksg

    nxserver –ruleadd –class=node –type=ksg6-2.hmdc.harvard.edu:4000 –value=only –group=ksg

     

    Where ‘only’ means that that group is only allowed to access ksg6-1 and ksg6-2

    And why don’t NX groups get automatically populated with LDAP groups? That doesn’t make any sense either.

     

    Best,

    Evan

     

    #4368
    Haven
    Participant

    Hello esarmien,

    the other solution that is probably more comfortable could be to disable each node for everybody:

    /etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=no

    and then enable node only for specific group:

    /etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=yes –group=<group name>

    We do not have –value=only available.

Viewing 4 posts - 1 through 4 (of 4 total)

This topic was marked as closed, you can't post.