Forum / NoMachine Cloud Server Products / Redirect rules to nodes do not work
- This topic has 3 replies, 2 voices, and was last updated 8 years, 10 months ago by Haven.
July 25, 2014 at 09:10 #4312esarmienParticipant
We currently have three classes of users: ‘vnc’, ‘ksg’, and ‘edlabs.’ The VNC should only be able to connect to terminal nodes rce6-1..rce6-3:4000, KSG to ksg6-1..ksg6-2:4000 and edlabs to edlabs-1:4000. We currently have these nodes added in a multi-node setup. I wanted to test user and group re-direction. The first thing I noticed is that NX4 does not support LDAP groups for redirecting- for example, in our setup, the LDAP groups ‘ksg’, ‘vnc’, and ‘admin’ already exist, but NX is not aware of them for this purpose (but is for logging in and SSH auth)
So I tried the following-
/usr/NX/bin/nxserver –groupadd admin –redirect rce6-1.priv.hmdc.harvard.edu:4000
/usr/NX/bin/nserver –useradd esarmien –group admin
This appeared to work. I added my own username to the group ‘admin’, It didn’t require that I set a password because I have an LDAP password. However when I login, I am not redirected to rce6-1.priv, it still uses round-robin to select a login node.
Am I doing something wrong?
EvanJuly 25, 2014 at 14:14 #4315HavenParticipant
Group redirect will not work in this case, because it it designed to redirect player connections directly to other host and ‘terminal nodes’ cannot be accessed directly.
The solution can be to disable other nodes for specific group:
nxserver –ruleadd –class=node –type=<host>:<port> –value=no –group=<group name>July 30, 2014 at 07:15 #4342esarmienParticipant
That doesn’t make any sense. I want to be able to forward specific group of users to a set of terminal nodes.
I shouldn’t have to make a group called ‘ksg’, and then for every host that isn’t a ‘ksg’ terminal node, run a command, that would be a bit insane. Check this problem out:
I have the following nodes:
If I want the group ksg to be able to access ksg6-1 and ksg6-2, but not rce6-1 and rce6-2, I have to say
nxserver –ruleadd –class=node –type=rce6-1.hmdc.harvard.edu:4000 –value=no –group=ksg
nxserver –ruleadd –class=node –type=rce6-2.hmdc.harvard.edu:4000 –value=no –group=ksg
But, what happens if I add more rce nodes, like rce6-3? I have to continue to add these rules, why can’t I do something like this?
nxserver –ruleadd –class=node –type=ksg6-1.hmdc.harvard.edu:4000 –value=only –group=ksg
nxserver –ruleadd –class=node –type=ksg6-2.hmdc.harvard.edu:4000 –value=only –group=ksg
Where ‘only’ means that that group is only allowed to access ksg6-1 and ksg6-2
And why don’t NX groups get automatically populated with LDAP groups? That doesn’t make any sense either.
EvanAugust 1, 2014 at 15:57 #4368HavenParticipant
the other solution that is probably more comfortable could be to disable each node for everybody:
/etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=no
and then enable node only for specific group:
/etc/NX/nxserver –ruleadd –class=node –type=<host>:<port> –value=yes –group=<group name>
We do not have –value=only available.
This topic was marked as closed, you can't post.