Multiple AD sources to Xen Orchestra

tuckertt

Hi,

I have a requirement to authenticate against two different Active Directory instances and was wondering if it's possible. The two AD instances have different naming schemes for users and such,.One instance being used for administrative functions and the other for general users.

I was wondering if it would be as simple as:

• taking a copy of xo-server-auth-ldap
• amending the package.json
• change the class name to separate it from the original within XO https://github.com/vatesfr/xen-orchestra/blob/master/packages/xo-server-auth-ldap/src/index.js#L187
• import the plugin

Or would it be more involved? I wasn't sure if the internal ldap references were general text, called functions or specific to the integration so thought it best to check before I hacked at it too much.

This would initially be used in the self compile ( docker container ) version of Xen Orchestra but hoping the company will also pick up a licence so liable to be added into a separate instance of XOA, I'm guessing it would be the same kind of import process for the second plugin there too.

Sorry if there's something already about on this. When I looked all I could find was a post around a master and backup of the same AD instance as opposed to two different instances

lawrencesystems

@tuckertt

Not a direct answer to your question, but something to think about. I get that connecting XO to Active Directory is good for centralized identity management and offers rasier onboarding/offboarding, one password to rule them all. But the reality is that once AD is compromised, attackers can pivot straight into the virtualization layer — the crown jewels.

DustinB

You shouldn't be looking to do this, you're customizing your environment in such a way that the community would likely struggle to assist, although maybe the Vates team would be willing too.

Lawrence's comments notwithstanding, how would XO know which AD is authoritative, permissions administration is going to be a nightmare.

While there are multiple plugins for Authentication to XO, I would doubt if you could use multiple plugins at the same time as I've never bothered to try to use multiple, though this may be the most reasonable approach to try to achieve what you're asking for.

IE maybe one company uses GCP, so you authenticate that org with the auth-google plugin, and the other you authenticate with the auth-ldap plugin.

tuckertt

@DustinB so its as much a compliance piece as anything else. UK instance of a US company with data sovereignty laws in play.

DustinB

@tuckertt said in Multiple AD sources to Xen Orchestra:

@DustinB so its as much a compliance piece as anything else. UK instance of a US company with data sovereignty laws in play. The administrator AD is UK only and the other AD can be anyone

You're allowed to have shared hypervisors? Do these servers operate in the Atlantic ocean?

DustinB

@tuckertt said in Multiple AD sources to Xen Orchestra:

@DustinB so its as much a compliance piece as anything else. UK instance of a US company with data sovereignty laws in play. The administrator AD is UK only and the other AD can be anyone

GDRP is really a bit of a pain in the butt, because a username is covered under GDRP and that the username has to stay within the user's country.

The question I would raise is there a better way to limit this data into its required geographic region, like multiple XO instances and pools. Rather than one large pool, which would then be configured to allow people to access the resources from different geographic regions while keeping things GDPR compliant.....

The Vates team, being from France likely has some ideas on this that would be worth* consulting with them on.

tuckertt

@lawrencesystems so again its a compliance piece.. BTW big fan of the videos

olivierlambert

Adding XO PO in the loop @lsouai-vates

Davidj 0

@tuckertt Are both AD domains in the same forest?

tuckertt

@Davidj-0 No, from what i gather the UK domain is completely separate. So administrators can restrict access to specific areas for users Potentially via the self service mechanism only allowing the restricted "local" usage .

Not sure im phrasing it well enough but not sure how deep i can go officially

lsouai-vates

@tuckertt Hello ! We are making some investigations on authentication, users, ACLs etc... topics for the Xen Orchestra 6 version to come. Could you please formalize your need so I can add it to my user suggestions list?
Try to make specs as most generic (for all users) as possible, and don't hesitate to add some concrete examples.
Have a good day!