[Beowulf] Poll - Directory implementation
pbisbal at pppl.gov
Mon Oct 29 08:01:49 PDT 2018
I'm actually thinking of doing the same here. We have AD, which we are
already using for Kerberos from the Linux side, so so why not just use
AD's LDAP services, too? With the proper schemas installed and
authentication configured correctly, a Linux client should have no
problem using AD as the LDAP directory. Right now, we are replicating a
lot of user information in both LDAP and AD. The one concern would be
load on the AD server and through NAT when a large job starts up. As I
state in an earlier e-mail on this topic, I like to make the head node
of each cluster a read-only replica of my LDAP directory so that the
nodes don't have to go through a NAT gateway to do LDAP lookups, and to
have multiple LDAP servers to spread the load to.
On 10/25/2018 07:49 PM, Skylar Thompson wrote:
> At Univ. of WA Genome Sciences, we use Active Directory, but we also
> support a modest desktop environment. As much as I am not a fan of
> Microsoft, AD just works (even the replication) and, since someone else is
> responsible for the Windows gear here, I can just think of it as a
> LDAP/Krb5 store with a few minor extensions.
> On Wed, Oct 24, 2018 at 11:29:39AM -0500, Tom Harvill wrote:
>> Long time lurker, very infrequent poster - I enjoy this list very much.
>> We run multiple clusters in different data centers with a single directory
>> (LDAP) for general authentication and some user grouping for special
>> purposes (eg delineating admin users for privileges). We put 'extra' user
>> data in an RDBMS.
>> We currently use 389-DS (aka Fedora Directory Server) and there is some
>> internal pressure to switch to OpenLDAP.
>> 389-DS is working well, we use the multi-master feature. It really hasn't
>> failed us.
>> I'm writing this list to ask:
>> - what directory solution do you implement?
>> - if LDAP, which flavor?
>> - do you have any opinions one way or another on the topic?
>> Because 389-DS has just worked, it's sort-of out of sight and mind. I've
>> been re-engaging it for a little while and from what I can see it's fairly
>> well documented (I don't remember this being the case when we originally set
>> it up 10+ years ago.) I think OpenLDAP doesn't have integrated multi-master
>> replication - that feature appears to be a bolted on script.
>> Thanks in advance for your time,
>> Tom Harvill
>> Holland Computing Center
>> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
>> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
More information about the Beowulf