[Beowulf] Cluster Authentication (LDAP,NIS,AD)

Lachlan Musicman datakid at gmail.com
Wed Dec 27 18:54:04 PST 2017

On 28 December 2017 at 13:41, Robert Taylor <rgt at wi.mit.edu> wrote:

> Hi cluster gurus. I want to pick the your collective brains.
> Right now, where I work, we have and isilon, and netapp, which we use for
> our small 250core compute cluster.
> We have NIS for authentication and automount maps on the cluster side, and
> AD for authentication on the windows side, and LDAP for yet for other
> things to authenticate against.
> The storage is connected to both nis and AD, and does it's best to match
> the two sides up.
> We have had some odd issues with authentication as of late with sources
> getting out of sync, which has brought up the discussion for consolidating
> down to a single source of truth, which would be AD. RFC2307 talks about
> stuffing NIS data into LDAP/AD, and there are commercial products such as
> centrify that can do it.
> Does anyone run an entirely AD authentication environment with their
> compute cluster
> authenticating against it and using it for automount maps and such?
> Can you tell me what were your reasons for going that way, and any snags
> that you hit on the way?


We were asked/tasked with this a couple of years ago.

It took almost two years of shaking out the issues, but FreeIPA/SSSD in a
one-way trust with AD has worked excellently for 18 months. Our SLURM
cluster is on CentOS 7.4, and we needed to use the COPR version of SSSD
(1.16.x) rather than the version in the repos (1.15.x) but otherwise is
fine. Would absolutely recommend.

Note that a lot of the issues we saw were directly related to our AD,
rather than any problems with FreeIPA and SSSD. For example for a long time
our AD login names had spaces in them (! would not recommend), and the age
and size of the AD instance also lead to a few issues. Nothing that
couldn't be worked around. The devs and community are excellent at
responding to requests for help. It's a RedHat product. so if you have a
subscription it would be even easier.


"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "

*Greg Bloom* @greggish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20171228/e9262273/attachment.html>

More information about the Beowulf mailing list