On 07/16/2014 05:44 AM, Jean-Baptiste Denis wrote:
Hello everybody,
I've got an HPC cluster on a private network without access to our LDAP servers
for reasons I don't have any influence on at the moment. Users connect to
special nodes called submit nodes to submit (eh!) jobs on the cluster. Those
nodes have access to the public facing network (hence our LDAP servers) and the
cluster private network.
At the moment, /etc/passwd /etc/group and /etc/shadow are simply dumped on all
cluster nodes. I'd like to move away from this setup.
How to update the submit nodes to use sssd with an ldap auth_provider should not
cause any trouble. I'm concerned about the nodes accessible on the private
network.
I could configure submit nodes as ldap slaves, but there are security aspects in
that setup I'd like to avoid. My question is quite simple : is there a way to
leverage the "sssdified" submit nodes on other nodes using some kind of
relay/proxy ?
Any suggestion is welcome !
Right now, no.
And we do not have something like this in plans.
The simplest solution is to put one of the LDAP servers into the cluster.
If you can't do that then you are stuck with what you have now.
Potentially what you want is to be able to generate SSSD cache db on one
system and copy it around.
There is no such functionality and the problem with building one is
creating password hashes in such database in bulk (requires passwords in
clear which is a nonstarter). When users log in one by one passwords can
be captured and hashed for further use. It is hard to do in bulk.
May be what you can do is make users log into the gateway node and then
once a while copy its sssh caches to other nodes in the cluster but SSSD
on those nodes would be outdated for that period of time. I do not know
how usable it is. A new user would have to wait for this period after he
authenticated and before he actually can submit a job. May be you
already have a mechanism to queue these things. May be you can somehow
detect that user is new and queue the SSSD cache update together with
his actual job.
Jean-Baptiste
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
