[Beowulf] Cluster Authentication (LDAP,NIS,AD)

John Hearns hearnsj at googlemail.com
Thu Dec 28 10:47:09 PST 2017


Skylar, I admit my ignorance. What is a program map?
Where I work now extensively uses automounter maps for bind mounts.
I may well learn something useful here.

On 28 December 2017 at 15:28, Skylar Thompson <skylar.thompson at gmail.com>
wrote:

> We are an AD shop, with users, groups, and automounter maps (for a short
> while longer at least[1]) in the directory. I think once you get to
> around schema level 2003R2 you'll be using RFC2307bis (biggest
> difference from RFC2307 is that it supports nested groups) which is
> basically what modern Linux distributions will be expecting. I can't
> think of any serious problems we've had it with it, though I work on the
> UNIX side so for me it really does just look like a LDAP/Krb5 server.
>
> I'm not a fan of Microsoft in general, but AD is one of the few products
> that they've actually gotten right. In particular, the replication just
> works --- in the 11 years we've been running AD, I can't think of a
> single time our domain servers got out of sync.
>
> [1] For automounter maps, we're in the process of moving from LDAP to
> program maps. Due to some internal complexities, we need to support
> multiple definitions for a single mount point, which is easiest to
> accomplish with a client-side program map.
>
> Skylar
>
> On 12/27/2017 08:41 PM, Robert Taylor wrote:
> > Hi cluster gurus. I want to pick the your collective brains.
> > Right now, where I work, we have and isilon, and netapp, which we use
> > for our small 250core compute cluster.
> >
> > We have NIS for authentication and automount maps on the cluster side,
> > and AD for authentication on the windows side, and LDAP for yet for
> > other things to authenticate against.
> > The storage is connected to both nis and AD, and does it's best to match
> > the two sides up.
> > We have had some odd issues with authentication as of late with sources
> > getting out of sync, which has brought up the discussion for
> > consolidating down to a single source of truth, which would be AD.
> > RFC2307 talks about stuffing NIS data into LDAP/AD, and there are
> > commercial products such as centrify that can do it.
> >
> > Does anyone run an entirely AD authentication environment with their
> > compute cluster
> > authenticating against it and using it for automount maps and such?
> > Can you tell me what were your reasons for going that way, and any snags
> > that you hit on the way?
> >
> > We've just started looking at it, so I'm on the beginning of this road.
> >
> > Any responses is appreciated.
> >
> > Thanks.
> >
> > rgt
> >
> >
> > _______________________________________________
> > Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> > To change your subscription (digest mode or unsubscribe) visit
> http://www.beowulf.org/mailman/listinfo/beowulf
> >
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit
> http://www.beowulf.org/mailman/listinfo/beowulf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20171228/2ad95b90/attachment.html>


More information about the Beowulf mailing list