you wish to manage user permissions in Active Directory, you could create a single group that you then add and remove users to/from; alternatively, you can add and remove individual users from XenServer, or a combination of users and groups as your would be appropriate for your authentication requirements. The subject list can be managed from XenCenter or using the CLI as described below.

When authenticating a user, the credentials are first checked against the local root account, allowing you to recover a system whose AD server has failed. If the credentials (i.e. username then password) do not match/ authenticate, then an authentication request is made to the AD server – if this is successful the user's information will be retrieved and validated against the local subject list, otherwise access will be denied. Validation against the subject list will succeed if the user or a group in the transitive group membership of the user is in the subject list.

Note:

When using Active Directory groups to grant access for Pool Administrator users who will require host ssh access, the number of users in the Active Directory group must not exceed 500.

Allowing a user access to XenServer using the CLI

To add an AD subject to XenServer:

xe subject-add subject-name=<entity name>

The entity name should be the name of the user or group to which you want to grant access. You may optionally include the domain of the entity (for example, '<xendt\user1>' as opposed to '<user1>') although the behavior will be the same unless disambiguation is required.

Removing access for a user using the CLI

1.Identify the subject identifier for the subject t you wish to revoke access. This would be the user or the group containing the user (removing a group would remove access to all users in that group, providing they are not also specified in the subject list). You can do this using the subject list command:

xe subject-list

You may wish to apply a filter to the list, for example to get the subject identifier for a user named user1 in the testad domain, you could use the following command:

xe subject-list other-config:subject-name='<domain\user>'

2.Remove the user using the subject-removecommand, passing in the subject identifier you learned in the previous step:

xe subject-remove subject-uuid=<subject-uuid>

3.You may wish to terminate any current session this user has already authenticated. See Terminating all authenticated sessions using xe and Terminating individual user sessions using xe for more information about terminating sessions. If you do not terminate sessions the users whose permissions have been revoked may be able to continue to access the system until they log out.

Listing subjects with access

To identify the list of users and groups with permission to access your XenServer host or pool, use the following command:

xe subject-list

Removing Access for a User

Once a user is authenticated, they will have access to the server until they end their session, or another user terminates their session. Removing a user from the subject list, or removing them from a group that is in the subject list, will not automatically revoke any already-authenticated sessions that the user has; this means that

9

Page 26 Page 28
Page 27
Image 27
Citrix Systems 6 manual Removing Access for a User, Allowing a user access to XenServer using the CLI
Page 26 Page 28
Top Page Image Contents