Integrating LDAP into CycleCloud Cluster for User authentication

This post has been republished via RSS; it originally appeared at: Azure Compute Blog articles.

Overview: 

Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High-Performance Computing (HPC) environments on Azure. With CycleCloud, users can provision infrastructure for HPC systems, deploy familiar HPC schedulers, and automatically scale the infrastructure to run jobs efficiently at any scale. There are two primary mechanisms for enabling login access to cluster nodes, through CycleCloud's built-in authentication, or by integrating nodes with a directory service such as Active Directory or LDAP. For enterprise production clusters, it is recommended that user access be managed through a directory service such as LDAP, Active Directory, or NIS.

In this blog, we are discussing how to integrate LDAP into the cyclecloud cluster (Node Authentication) for User management using cloud-init and this will give you an idea of how to integrate third-party user management systems like NIS and LDAP in cyclecloud clusters for Node authentication.

vinilv_0-1659419701523.png

Requirements :

  1. CycleCloud server ( I am using CycleCloud Version: 8.2.2-1902)
  2. Functional LDAP server (I have an OpenLDAP-servers configured for User Management)
  3.  Compute OS - CentOS 7 

Solution: 

The first requirement is to have a functional LDAP server. I have an OpenLDAP-Server running and we are going to demonstrate how to enable login access to cluster nodes using an LDAP user named "vinil".

 

 

[azureuser@auth-server ~]$ ldapsearch -x -b "uid=vinil,ou=people,dc=msexample,dc=world" -s sub "objectclass=*" # extended LDIF # # LDAPv3 # base <uid=vinil,ou=people,dc=msexample,dc=world> with scope subtree # filter: objectclass=* # requesting: ALL # # vinil, People, msexample.world dn: uid=vinil,ou=People,dc=msexample,dc=world objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: vinil sn: vadakkepurakkal loginShell: /bin/bash uidNumber: 12001 gidNumber: 12001 homeDirectory: /shared/home/vinil uid: vinil # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

 

 

The built-in user management system is enabled by default on every CycleCloud installation and is an installation-wide setting -- all clusters managed by the CycleCloud server will have this enabled. To disable it, navigate to the CycleCloud section of the Settings page. The pop-up box contains an option for Node Authentication and selecting Disabled from the drop-down will ensure that no local user accounts aside from the VM agent user will be created.

vinilv_0-1659445869355.png

vinilv_1-1659412118781.png

Node authentication select "Disabled"

vinilv_2-1659412144188.png

Create the cluster as usual with the preferred scheduler, VM SKUs etc. And in the cloud-init section add the script to integrate the Nodes with LDAP (LDAP server and cluster as in the same subnet).

Here I am using a shell script to configure the LDAP client on the Master and compute nodes.

 

 

#!/bin/sh #Update the hostname in /etc/hosts for name resolution. Update the correct IP address of your Ldap server. This is for demo purpose only echo "10.222.1.17 auth-server.2bdikvxkkxjeffxswkrwrjvvra.bx.internal.cloudapp.net auth-server" >> /etc/hosts #Install the required client packages yum -y install openldap-clients nss-pam-ldapd # Configuring Ldap client authconfig --enableldap \ --enableldapauth \ --ldapserver=auth-server \ --ldapbasedn="dc=msexample,dc=world" \ --enablemkhomedir \ --update

 

 

LDAP user's home directory is set to /share/home location to make sure that we have the home directories shared across all the cluster nodes. All the same cloud-init script for all the node arrays (HPC, HTC, Login , schedulers etc)

vinilv_3-1659412737629.png

Let's test the authentication using an LDAP user. We could see the built-in user management is disabled in the CycleCloud portal for the cluster.

vinilv_0-1659415768639.png

Login to the scheduler using the LDAP user "vinil" and see if you are able to login. We are successfully able to login to the cluster as an LDAP user. 

 

 

[azureuser@cc82b ~]$ ssh vinil@10.222.1.21 vinil@10.222.1.21's password: Last login: Tue Aug 2 04:45:42 2022 [vinil@demo-scheduler ~]$ id uid=12001(vinil) gid=12001(Vinil) groups=12001(Vinil) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [vinil@demo-scheduler ~]$ getent passwd vinil vinil:x:12001:12001:vinil:/shared/home/vinil:/bin/bash [vinil@demo-scheduler ~]$

 

 

NOTE: By default, password authentication is disabled. if you are using password-based authentication make sure that "PasswordAuthentication yes"  is set in /etc/ssh/sshd_config file. Additionally set the proper home directory, permissions and ssh-keys are present. 

Similarly, for CycleCloud portal access,  we could integrate LDAP or AD in Settings --> Authentication --> configure --> LDAP.  This will enable the LDAP user to login into the CycleCloud portal using LDAP credentials. 

vinilv_1-1659417297687.png

Conclusion:

Third-party user management systems can be easily integrated into CycleCloud for portal access and Node authentication. This guide gives you an idea about how LDAP can be integrated for node authentication and portal access. 

 

Reference:

Learn more about CycleCloud

More info on Azure High-Performance computing

Read more on Cyclecloud User Management

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.