I'm actually thinking of doing the same here. We have AD, which we are
already using for Kerberos from the Linux side, so so why not just use
AD's LDAP services, too? With the proper schemas installed and
authentication configured correctly, a Linux client should have no
problem using AD as the LDAP directory. Right now, we are replicating a
lot of user information in both LDAP and AD. The one concern would be
load on the AD server and through NAT when a large job starts up. As I
state in an earlier e-mail on this topic, I like to make the head node
of each cluster a read-only replica of my LDAP directory so that the
nodes don't have to go through a NAT gateway to do LDAP lookups, and to
have multiple LDAP servers to spread the load to.
Prentice
On 10/25/2018 07:49 PM, Skylar Thompson wrote:
At Univ. of WA Genome Sciences, we use Active Directory, but we also
support a modest desktop environment. As much as I am not a fan of
Microsoft, AD just works (even the replication) and, since someone else is
responsible for the Windows gear here, I can just think of it as a
LDAP/Krb5 store with a few minor extensions.
On Wed, Oct 24, 2018 at 11:29:39AM -0500, Tom Harvill wrote:
Hello,
Long time lurker, very infrequent poster - I enjoy this list very much.
We run multiple clusters in different data centers with a single directory
(LDAP) for general authentication and some user grouping for special
purposes (eg delineating admin users for privileges). We put 'extra' user
data in an RDBMS.
We currently use 389-DS (aka Fedora Directory Server) and there is some
internal pressure to switch to OpenLDAP.
389-DS is working well, we use the multi-master feature. It really hasn't
failed us.
I'm writing this list to ask:
- what directory solution do you implement?
- if LDAP, which flavor?
- do you have any opinions one way or another on the topic?
Because 389-DS has just worked, it's sort-of out of sight and mind. I've
been re-engaging it for a little while and from what I can see it's fairly
well documented (I don't remember this being the case when we originally set
it up 10+ years ago.) I think OpenLDAP doesn't have integrated multi-master
replication - that feature appears to be a bolted on script.
Thanks in advance for your time,
Tom
Tom Harvill
Holland Computing Center
https://hcc.unl.edu
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
