[Beowulf] Cluster Authentication (LDAP,NIS,AD)

Skylar Thompson skylar.thompson at gmail.com
Thu Dec 28 06:28:31 PST 2017


We are an AD shop, with users, groups, and automounter maps (for a short
while longer at least[1]) in the directory. I think once you get to
around schema level 2003R2 you'll be using RFC2307bis (biggest
difference from RFC2307 is that it supports nested groups) which is
basically what modern Linux distributions will be expecting. I can't
think of any serious problems we've had it with it, though I work on the
UNIX side so for me it really does just look like a LDAP/Krb5 server.

I'm not a fan of Microsoft in general, but AD is one of the few products
that they've actually gotten right. In particular, the replication just
works --- in the 11 years we've been running AD, I can't think of a
single time our domain servers got out of sync.

[1] For automounter maps, we're in the process of moving from LDAP to
program maps. Due to some internal complexities, we need to support
multiple definitions for a single mount point, which is easiest to
accomplish with a client-side program map.

Skylar

On 12/27/2017 08:41 PM, Robert Taylor wrote:
> Hi cluster gurus. I want to pick the your collective brains.
> Right now, where I work, we have and isilon, and netapp, which we use
> for our small 250core compute cluster.
> 
> We have NIS for authentication and automount maps on the cluster side,
> and AD for authentication on the windows side, and LDAP for yet for
> other things to authenticate against.  
> The storage is connected to both nis and AD, and does it's best to match
> the two sides up. 
> We have had some odd issues with authentication as of late with sources
> getting out of sync, which has brought up the discussion for
> consolidating down to a single source of truth, which would be AD.
> RFC2307 talks about stuffing NIS data into LDAP/AD, and there are
> commercial products such as centrify that can do it. 
> 
> Does anyone run an entirely AD authentication environment with their
> compute cluster
> authenticating against it and using it for automount maps and such?
> Can you tell me what were your reasons for going that way, and any snags
> that you hit on the way?
> 
> We've just started looking at it, so I'm on the beginning of this road. 
> 
> Any responses is appreciated. 
> 
> Thanks.
> 
> rgt
> 
> 
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
> 



More information about the Beowulf mailing list