On 2017-04-11 09:04, Lachlan Musicman wrote: > On 11 April 2017 at 02:36, Raymond Wan <rwan.w...@gmail.com > <mailto:rwan.w...@gmail.com>> wrote: > > > For SLURM to work, I understand from web pages such as > https://slurm.schedmd.com/accounting.html > <https://slurm.schedmd.com/accounting.html> that UIDs need to be shared > across nodes. Based on this web page, it seems sharing /etc/passwd > between nodes appears sufficient. The word LDAP is mentioned at the > end of the paragraph as an alternative. > > I guess what I would like to know is whether it is acceptable to > completely avoid LDAP and use the approach mentioned there? The > reason I'm asking is that I seem to be having a very nasty time > setting up LDAP. It doesn't seem as "easy" as I thought it would be > [perhaps it was my fault for thinking it would be easy...]. > > If I can set up a small cluster without LDAP, that would be great. > But beyond this web page, I am wondering if there are suggestions for > "best practices". For example, in practice, do most administrators > use LDAP? If so and if it'll pay off in the end, then I can consider > continuing with setting it up... > > > > We have had success with a FreeIPA installation to manage auth - every > node is enrolled in a domain and each node runs SSSD (the FreeIPA client).
+1. Setting up a LDAP + krb5 infrastructure by hand is quite a chore (been there, done that), but FreeIPA more or less automates all that. > Our auth actually backs onto an Active Directory domain - I don't even > have to manage the users. Which, to be honest, is quite a relief. +1. Or rather, make that +1000. Before, there would be a constant stream of users coming to our office requesting accounts, or wanting to reset a forgotten password, or reactivate an expired account etc.; now all of this is offloaded to the university IT helpdesk. BTW, do you have some kind of trust relationship between your FreeIPA domain and the AD domain, or how do you do it? I did play around with using FreeIPA for our cluster as well and somehow synchronizing it with the university AD domain, but in the end we managed to convince the university IT to allow us to join our nodes directly to AD, so we were able to skip FreeIPA entirely. -- Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist Aalto University School of Science, PHYS & NBE +358503841576 || janne.blomqv...@aalto.fi
signature.asc
Description: OpenPGP digital signature
