How to synchronize users between master and compute nodes

Thank you for the suggestions enrico-aws

I have followed your first link: https://aws.amazon.com/blogs/opensource/managing-aws-parallelcluster-ssh-users-with-openldap/ and was able to generate an LDAP non-admin account. There is a comment on the blog that instructs how root can edit the password of the LDAP non-admin account. Unfortunately, if I log in as the LDAP non-admin account and run passwd, I get the following error:

password change failed: Insufficient access
passwd: Authentication token manipulation error

Do you have any insight on why this is happening and how it could be resolved?

Hi ProlucidDavid,

if I understood correctly your goal is to permit the non-admin user to change his password by using the passwd command.

From what I can read online you need to add an ACL to permit non-admin users to change their passwords.
I found this link that looks promising: https://www.unixguide.net/content/openldap-allow-users-change-their-password-unix-passwd-command
and this other one: https://forums.centos.org/viewtopic.php?t=66493

This is an OpenLDAP specific configuration and you can find all the details in the official OpenLDAP doc: https://www.openldap.org/doc/admin24/access-control.html

What about using ssh keys instead of passwords?

Let me know if it helps.

Hi enrico-aws,

I appreciate your links, they were helpful. I also asked a similar question on server fault: https://serverfault.com/questions/1049748/openldap-implementation-allows-only-root-user-to-set-passwords-of-accounts/1049771?noredirect=1#comment1367195_1049771. From this, I created a file called password_policy.ldif which has the following contents:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
by self write
by * auth
olcAccess: {1}to *
by * read

I was able to apply the policy by executing:
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f passwordaccess.ldif

This resolved my issue

Hi enrico-aws,

I was hoping to add a few followup notes to the previous messages here:

1. According to an answer on Server Fault [1] the LDAP service in the original blog post [2] sets up a service that allows all users to read everything in the database permissions should be modified to tighten security.
2. You previously suggested using SSH keys. I'm setting up an application that allows non-technical users to use NiceDCV to remote in. The current NiceDCV client requests a username and password which I believe is more intuitive for a non-technical user than learning about ssh keys.

[1] https://serverfault.com/questions/1049748/openldap-implementation-allows-only-root-user-to-set-passwords-of-accounts/1049771?noredirect=1#comment1367195_1049771
[2] https://aws.amazon.com/blogs/opensource/managing-aws-parallelcluster-ssh-users-with-openldap/

1. I'll redirect your comments to the blog post's creator.
2. Ok, I see what you mean.

Thanks for the explanation and the followup notes.