Forum / NoMachine Cloud Server Products / Redirect rules to nodes do not work
- This topic has 3 replies, 2 voices, and was last updated 10 years, 3 months ago by Haven.
-
AuthorPosts
-
July 25, 2014 at 09:10 #4312esarmienParticipant
Hi,
We currently have three classes of users: ‘vnc’, ‘ksg’, and ‘edlabs.’ The VNC should only be able to connect to terminal nodes rce6-1..rce6-3:4000, KSG to ksg6-1..ksg6-2:4000 and edlabs to edlabs-1:4000. We currently have these nodes added in a multi-node setup. I wanted to test user and group re-direction. The first thing I noticed is that NX4 does not support LDAP groups for redirecting- for example, in our setup, the LDAP groups ‘ksg’, ‘vnc’, and ‘admin’ already exist, but NX is not aware of them for this purpose (but is for logging in and SSH auth)
So I tried the following-
/usr/NX/bin/nxserver –groupadd admin –redirect rce6-1.priv.hmdc.harvard.edu:4000/usr/NX/bin/nserver –useradd esarmien –group admin
This appeared to work. I added my own username to the group ‘admin’, It didn’t require that I set a password because I have an LDAP password. However when I login, I am not redirected to rce6-1.priv, it still uses round-robin to select a login node.
Am I doing something wrong?
Best,
Evan
July 25, 2014 at 14:14 #4315HavenParticipantHello esarmien,
Group redirect will not work in this case, because it it designed to redirect player connections directly to other host and ‘terminal nodes’ cannot be accessed directly.
The solution can be to disable other nodes for specific group:
nxserver –ruleadd –class=node –type=<host>:<port> –value=no –group=<group name>
July 30, 2014 at 07:15 #4342esarmienParticipantHi Haven,
That doesn’t make any sense. I want to be able to forward specific group of users to a set of terminal nodes.
I shouldn’t have to make a group called ‘ksg’, and then for every host that isn’t a ‘ksg’ terminal node, run a command, that would be a bit insane. Check this problem out:
I have the following nodes:
ksg6-1
ksg6-2
rce6-1
rce6-2
If I want the group ksg to be able to access ksg6-1 and ksg6-2, but not rce6-1 and rce6-2, I have to say
nxserver –ruleadd –class=node –type=rce6-1.hmdc.harvard.edu:4000 –value=no –group=ksg
nxserver –ruleadd –class=node –type=rce6-2.hmdc.harvard.edu:4000 –value=no –group=ksg
But, what happens if I add more rce nodes, like rce6-3? I have to continue to add these rules, why can’t I do something like this?
nxserver –ruleadd –class=node –type=ksg6-1.hmdc.harvard.edu:4000 –value=only –group=ksg
nxserver –ruleadd –class=node –type=ksg6-2.hmdc.harvard.edu:4000 –value=only –group=ksg
Where ‘only’ means that that group is only allowed to access ksg6-1 and ksg6-2
And why don’t NX groups get automatically populated with LDAP groups? That doesn’t make any sense either.
Best,
Evan
August 1, 2014 at 15:57 #4368HavenParticipantHello esarmien,
the other solution that is probably more comfortable could be to disable each node for everybody:
/etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=no
and then enable node only for specific group:
/etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=yes –group=<group name>
We do not have –value=only available.
-
AuthorPosts
This topic was marked as closed, you can't post.