In Bright Cluster Manager 9.0, cluster nodes still use nslcd for LDAP authentication. Since we have sssd working in Bright CM 6 (by necessity due to an issue with Univa Grid Engine and nslcd; see previous posts), we might as well change things over to sssd on Bright CM 9, too. The cluster now runs RHEL8.
First, we disable the nslcd service on all nodes. It was a little non-obvious how to do this since trying to remove it in the device services did nothing: the service just kept coming back enabled. I.e. do “remove nslcd ; commit” and then “list” and nslcd just reappears.
Examining that service in the device view showed that it “belongs to a role,” but it is not listed in any role, nor in the category of that node.
[foocluster]% category use compute-cat
[foocluster->category[compute-cat]]% services
[foocluster->category[compute-cat]->services]% list
Service (key) Monitored Autostart
------------------------ ---------- ----------
It turns out that nslcd is part of a hidden role which is not visible to the user. So, you have to write a loop to disable nslcd on each node. Within cmsh:
[foocluster]% device
[foocluster]% foreach -v -n node001..node099 (services; use nslcd; set monitored no ; set autostart no)
[foocluster]% commit
To modify the node image, I modify the image on one node, and then do “grabimage -w” in cmsh on the head node.
You will need to install these packages:
- openldap-clients
- sssd
- sssd-ldap
- openssl-perl
Next, sssd setup. This may depend on your installation. The installation here uses the LDAP server set up by Bright CM, which uses SSL for encryption with both server and client certificates. (All self-signed with a dummy CA in the usual way.) The following /etc/sssd/sssd.conf shows only the non-empty sections. Your configuration may need to be different depending on your environment.
[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://fooserver.cm.cluster
ldap_search_base = dc=cm,dc=cluster
ldap_id_use_start_tls = False
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /cm/local/apps/openldap/etc/certs
cache_credentials = True
enumerate = False
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_connection_expire_timeout = 60
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
homedir_substring = /home
Then,
# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf
I did not have to change /etc/openldap/ldap.conf
The next step is to switch to using sssd for authentication. But first, stop and disable the nslcd service:
# systemctl stop nslcd
# systemctl disable nslcd
The old authconfig-tui utility is gone. The new one is authselect: you will have to force it to overwrite existing authentication configurations.
# authselect select sssd --force
There are other options to authselect, e.g. “with-mkhomedir”. See authselect(8) and authselect-profiles(5) for details. Other options may also require other packages to be installed.
Then, start and enable the sssd service. Check that user ID info can be retrieved:
# id someuser
Back on the head node, do “grabimage -w”.
Then, modify the node category to add the sssd service, setting it to autostart and to be monitored.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.