- This topic has 3 replies, 2 voices, and was last updated 10 years, 3 months ago by
.
-
Posts
-
Hi,
We currently have three classes of users: ‘vnc’, ‘ksg’, and ‘edlabs.’ The VNC should only be able to connect to terminal nodes rce6-1..rce6-3:4000, KSG to ksg6-1..ksg6-2:4000 and edlabs to edlabs-1:4000. We currently have these nodes added in a multi-node setup. I wanted to test user and group re-direction. The first thing I noticed is that NX4 does not support LDAP groups for redirecting- for example, in our setup, the LDAP groups ‘ksg’, ‘vnc’, and ‘admin’ already exist, but NX is not aware of them for this purpose (but is for logging in and SSH auth)
So I tried the following-
/usr/NX/bin/nxserver –groupadd admin –redirect rce6-1.priv.hmdc.harvard.edu:4000/usr/NX/bin/nserver –useradd esarmien –group admin
This appeared to work. I added my own username to the group ‘admin’, It didn’t require that I set a password because I have an LDAP password. However when I login, I am not redirected to rce6-1.priv, it still uses round-robin to select a login node.
Am I doing something wrong?
Best,
Evan
Hello esarmien,
Group redirect will not work in this case, because it it designed to redirect player connections directly to other host and ‘terminal nodes’ cannot be accessed directly.
The solution can be to disable other nodes for specific group:
nxserver –ruleadd –class=node –type=<host>:<port> –value=no –group=<group name>
Hi Haven,
That doesn’t make any sense. I want to be able to forward specific group of users to a set of terminal nodes.
I shouldn’t have to make a group called ‘ksg’, and then for every host that isn’t a ‘ksg’ terminal node, run a command, that would be a bit insane. Check this problem out:
I have the following nodes:
ksg6-1
ksg6-2
rce6-1
rce6-2
If I want the group ksg to be able to access ksg6-1 and ksg6-2, but not rce6-1 and rce6-2, I have to say
nxserver –ruleadd –class=node –type=rce6-1.hmdc.harvard.edu:4000 –value=no –group=ksg
nxserver –ruleadd –class=node –type=rce6-2.hmdc.harvard.edu:4000 –value=no –group=ksg
But, what happens if I add more rce nodes, like rce6-3? I have to continue to add these rules, why can’t I do something like this?
nxserver –ruleadd –class=node –type=ksg6-1.hmdc.harvard.edu:4000 –value=only –group=ksg
nxserver –ruleadd –class=node –type=ksg6-2.hmdc.harvard.edu:4000 –value=only –group=ksg
Where ‘only’ means that that group is only allowed to access ksg6-1 and ksg6-2
And why don’t NX groups get automatically populated with LDAP groups? That doesn’t make any sense either.
Best,
Evan
Hello esarmien,
the other solution that is probably more comfortable could be to disable each node for everybody:
/etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=no
and then enable node only for specific group:
/etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=yes –group=<group name>
We do not have –value=only available.
This topic was marked as closed, you can't post.