- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi ProlucidDavid ,
A simple way to have multi-user on ParallelCluster is to use an OpenLDAP service directory:
or integrate ParallelCluster with an existing Active Directory service:
If the instances of the cluster are "static" you might think to execute the actions on multiple instances by using SSM but this approach only affects already running instances:
Another "dirty" alternative might be to create a custom script that permits to add the user in the head node and updates the pre/post-install script used by the cluster, to add the new users at boot time, but this only affect the new instances so you need to stop/start the cluster:
- https://docs.aws.amazon.com/parallelcluster/latest/ug/pre_post_install.html
Something similar to https://github.com/aws/aws-parallelcluster/wiki/MultiUser-Support
I think the first alternative is the best fit to your request but the second one is a good one too.
Let us know if it helps.
Thank you for the suggestions enrico-aws
I have followed your first link: https://aws.amazon.com/blogs/opensource/managing-aws-parallelcluster-ssh-users-with-openldap/ and was able to generate an LDAP non-admin account. There is a comment on the blog that instructs how root can edit the password of the LDAP non-admin account. Unfortunately, if I log in as the LDAP non-admin account and run passwd, I get the following error:
password change failed: Insufficient access
passwd: Authentication token manipulation error
Do you have any insight on why this is happening and how it could be resolved?
Hi ProlucidDavid,
if I understood correctly your goal is to permit the non-admin user to change his password by using the passwd command.
From what I can read online you need to add an ACL to permit non-admin users to change their passwords.
I found this link that looks promising: https://www.unixguide.net/content/openldap-allow-users-change-their-password-unix-passwd-command
and this other one: https://forums.centos.org/viewtopic.php?t=66493
This is an OpenLDAP specific configuration and you can find all the details in the official OpenLDAP doc: https://www.openldap.org/doc/admin24/access-control.html
What about using ssh keys instead of passwords?
Let me know if it helps.
Hi enrico-aws,
I appreciate your links, they were helpful. I also asked a similar question on server fault: https://serverfault.com/questions/1049748/openldap-implementation-allows-only-root-user-to-set-passwords-of-accounts/1049771?noredirect=1#comment1367195_1049771. From this, I created a file called password_policy.ldif which has the following contents:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
by self write
by * auth
olcAccess: {1}to *
by * read
I was able to apply the policy by executing:
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f passwordaccess.ldif
This resolved my issue
Hi enrico-aws,
I was hoping to add a few followup notes to the previous messages here:
- According to an answer on Server Fault [1] the LDAP service in the original blog post [2] sets up a service that allows all users to read everything in the database permissions should be modified to tighten security.
- You previously suggested using SSH keys. I'm setting up an application that allows non-technical users to use NiceDCV to remote in. The current NiceDCV client requests a username and password which I believe is more intuitive for a non-technical user than learning about ssh keys.
[1] https://serverfault.com/questions/1049748/openldap-implementation-allows-only-root-user-to-set-passwords-of-accounts/1049771?noredirect=1#comment1367195_1049771
[2] https://aws.amazon.com/blogs/opensource/managing-aws-parallelcluster-ssh-users-with-openldap/
- I'll redirect your comments to the blog post's creator.
- Ok, I see what you mean.
Thanks for the explanation and the followup notes.
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 3 Jahren- AWS OFFICIALAktualisiert vor 2 Jahren