Multiple AD sources to Xen Orchestra
-
Not a direct answer to your question, but something to think about. I get that connecting XO to Active Directory is good for centralized identity management and offers rasier onboarding/offboarding, one password to rule them all. But the reality is that once AD is compromised, attackers can pivot straight into the virtualization layer — the crown jewels.
-
You shouldn't be looking to do this, you're customizing your environment in such a way that the community would likely struggle to assist, although maybe the Vates team would be willing too.
Lawrence's comments notwithstanding, how would XO know which AD is authoritative, permissions administration is going to be a nightmare.
While there are multiple plugins for Authentication to XO, I would doubt if you could use multiple plugins at the same time as I've never bothered to try to use multiple, though this may be the most reasonable approach to try to achieve what you're asking for.
IE maybe one company uses GCP, so you authenticate that org with the auth-google plugin, and the other you authenticate with the auth-ldap plugin.
-
@DustinB so its as much a compliance piece as anything else. UK instance of a US company with data sovereignty laws in play.
-
@tuckertt said in Multiple AD sources to Xen Orchestra:
@DustinB so its as much a compliance piece as anything else. UK instance of a US company with data sovereignty laws in play. The administrator AD is UK only and the other AD can be anyone
You're allowed to have shared hypervisors? Do these servers operate in the Atlantic ocean?
-
@tuckertt said in Multiple AD sources to Xen Orchestra:
@DustinB so its as much a compliance piece as anything else. UK instance of a US company with data sovereignty laws in play. The administrator AD is UK only and the other AD can be anyone
GDRP is really a bit of a pain in the butt, because a username is covered under GDRP and that the username has to stay within the user's country.
The question I would raise is there a better way to limit this data into its required geographic region, like multiple XO instances and pools. Rather than one large pool, which would then be configured to allow people to access the resources from different geographic regions while keeping things GDPR compliant.....
The Vates team, being from France likely has some ideas on this that would be worth* consulting with them on.
-
@lawrencesystems so again its a compliance piece.. BTW big fan of the videos
-
Adding XO PO in the loop @lsouai-vates
-
@tuckertt Are both AD domains in the same forest?
-
@Davidj-0 No, from what i gather the UK domain is completely separate. So administrators can restrict access to specific areas for users Potentially via the self service mechanism only allowing the restricted "local" usage .
Not sure im phrasing it well enough but not sure how deep i can go officially
-
@tuckertt Hello ! We are making some investigations on authentication, users, ACLs etc... topics for the Xen Orchestra 6 version to come. Could you please formalize your need so I can add it to my user suggestions list?
Try to make specs as most generic (for all users) as possible, and don't hesitate to add some concrete examples.
Have a good day!
