sábado, 3 de agosto de 2013

How to authenticate users with Active Directory in Citrix XenServer

Hi, if you want to have multiple user accounts on a server or a pool, you must use Active Directory (AD) user accounts for authentication. 
To permit access, you must create a subject (user or group in AD) entry for the person or group you wish to grant access to. This can be done using XenCenter or the xe CLI.



1) A XenServer pool or a server.
2) An Active Directory Server (2003 or later)
3) An user account in AD for integration. This user MUST BE member of "Account Operator" as least.
4) Six groups in Active Directory. One for each Role Based Access Control.

1) Enabling Active Directory Authentication

- Join to Active Directory using XenServer. Under pool or server node, Users, Join Domain. Use the user created before*

- To disable, just click on Leave Domain.

- To enable using the xe CLI:

xe pool-enable-external-auth auth-type=AD \
service-name= \
config:user= \

- To disable using xe CLI:

xe pool-disable-external-auth


* This user MUST BE member of "Account Operator" as least.


2) Setup Role Based Access Control

XenServer's Role Based Access Control (RBAC) allows you to assign users, roles, 

and permissions to control who has access to your XenServer and what actions they 

can perform.

RBAC depends on Active Directory for authentication services. Specifically, 

XenServer keeps a list of authorized
users based on Active Directory user and group accounts.

There are 6 roles:

Pool Administrator (Pool Admin), Pool Operator (Pool Operator), Virtual Machine 

Power Administrator (VM Power Admin), Virtual Machine Administrator (VM Admin), 

Virtual Machine Operator (VM Operator), Read-only (Read Only)

- In XenCenter, under pool or server node go to users tab, click Add, put the name of 

the group to each role.

- Once the group was added, right click under Group, Change Role. Select the role 

for the group added.

- To remove a group, just click on remove.

- Using xe CLI to add subject:

xe subject-add subject-name=

- To Assign an RBAC Role to a Created subject using CLI:

xe subject-role-add uuid= role-uuid=
xe subject-role-add uuid= role-name=

- To remove a subject:

xe subject-remove subject-uuid=


Now, to provide access to a user/subject just add it in Active Directory on each Group.


Let me know if you have questions.

See ya.

No hay comentarios.:

Publicar un comentario