-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
modernizing user authentication #176
Comments
I think it might be difficult to do an easy NIS-LDAP transition, but yeah, certainly there are advantages to LDAP. If nothing else, if we do a EL8 midlife update, that could be a suitable moment? So we used to have our own LDAP auth system for our Linux workstations here, consisting of mainly
An alternative to doing all by yourself is to use IPA, which sets up 389 ldap server(s), krb5 infrastructure (using kerberos for auth instead of pam_ldap), CA, and ipa-client sets up sssd on the clients. The problem I see here is that we currently use krb to authenticate against our AD + NIS for some cluster internal accounts (e.g. the slurm user, fgi* accounts etc.), and I don't think it's possible to have a machine be a member of two krb5 realms at the same time. So I think that unfortunately rules out IPA. A benefit of LDAP for us would be that currently we must disable nscd, as it conflicts with sssd caching. So all NIS queries must hit the server. With LDAP, it's possible to have several domains in sssd, so we could cache both AD and cluster internal users/groups. If one goes all-in for LDAP, there's a lot of other things one can do with the LDAP DB than users/groups. E.g. sudo rules, autofs maps, mail aliases etc. |
As for a non-LDAP solution, warewulf (used in OpenHPC) as it's own way, which is essentially copying passwd/group from the admin node to all the managed nodes. At least it's simple, and you can manage it with the same tools as NIS and local passwd files. |
LDAP would be a more modern way of doing the user setup than NIS.
We chose to use the same (as in FGI) style because initially LDAP looked like a lot of work to setup and NIS works nicely and user administration with NIS was known to us and the cluster admins.
Some things to consider:
The text was updated successfully, but these errors were encountered: