Centralized authentication on the cluster

The security feature allows cluster admin users to set up OpenLDAP in order to allow or deny user access to the cluster.

Note

FreeIPA configuration is not supported on Ubuntu (only supported on RHEL/Rocky Linux). OpenLDAP is provided as an alternative for Ubuntu.

Configuring OpenLDAP security

Prerequisites

  • Ensure that the following entry is present in the input/software_config.json:

    {"name": "openldap"}

  • Run local_repo.yml to create offline repositories of OpenLDAP. For more information, click here.

  • Enter the following parameters in input/security_config.yml:

Parameters for Authentication

Parameter

Details

domain_name

string

Required

  • Sets the intended domain name.

  • If dc=omnia,dc=test, Provide omnia.test

  • If dc=dell,dc=omnia,dc=com Provide dell.omnia.com

    Default values: omnia.test
Parameters for OpenLDAP configuration

Parameter

Details
ldap_connection_type

string Required

For a TLS connection, provide a valid certification path. For an SSL connection, ensure port 636 is open.

Choices:

  • TLS <- Default

  • SSL
tls_ca_certificate

string Optional

File path pointing to the Certificate Authority (CA) issued certificate path. Certificate files should be saved with a .pem or .crt extension. If not provided, a self-signed certificate is generated by Omnia.
tls_certificate

string Optional

File path pointing to the certificate used to authorize the LDAP server. Certificate files should be saved with a .pem or .crt extension.
tls_certificate_key

string Optional

The private key that matches the LDAP certificate.
openldap_db_username

string Required

The username used to manage the LDAP database.

Default value: "admin"
openldap_db_password

string Required

The password used to configure and manage the LDAP database. Ensure that this value is 8 characters long.
openldap_config_username

string Required

The username used to configure the LDAP database.

Default value: "admin"
openldap_config_password

string Required

The password used to configure the LDAP database. Ensure that this value is 8 characters long.
openldap_monitor_password

string Required

The password used to monitor the LDAP database. Ensure that this value is 8 characters long.
openldap_organization

string Required

LDAP server is configured using organizations. They are necessary for user creation and group mapping.

Default value: "omnia"
openldap_organizationational_unit

string Required

LDAP server is configured using organizations. They are necessary for user creation and group mapping.

Default value: "People"

Running the security role

The wrapper playbook omnia.yml handles execution of the security or authentication role. Alternatively, execute the security.yml playbook:

cd security
ansible-playbook security.yml -i inventory

Note

To run the security.yml playbook independently from the omnia.yml playbook on Intel Gaudi nodes, start by executing the performance_profile.yml playbook. Once that’s done, you can run the security.yml playbook separately.

The provided inventory should contain auth_server and login [optional] groups. The inventory file is case-sensitive. Follow the format provided in the sample files.

  • Do not include the IP of the OIM or local host in the auth_server group of the inventory file.

  • For secure login node functionality, ensure to add the login group in the provided inventory file. To customize the security features on the login node, update the desired parameters in input/login_node_security_config.yml.

  • If a subsequent run of security.yml fails, the security_config.yml file will be unencrypted.

Note

  • Installation of OpenLDAP server on the OIM is not supported.

  • Omnia sets up the internal OpenLDAP server for user authentication after the execution of security.yml or omnia.yml playbook. If login fails for an OpenLDAP user, then check if the slapd-ltd.service is running on the authentication server. For more information, click here.

Caution

No users will be created by Omnia.

Create a new user on OpenLDAP

  1. Create an LDIF file (eg: create_user.ldif) on the auth server containing the following information:

    • DN: The distinguished name that indicates where the user will be created.

    • objectClass: The object class specifies the mandatory and optional attributes that can be associated with an entry of that class. Here, the values are inetOrgPerson, posixAccount, and shadowAccount.

    • UID: The username of the replication user.

    • sn: The surname of the intended user.

    • cn: The given name of the intended user.

Below is a sample file:

# User Creation
dn: uid=ldapuser,ou=People,dc=omnia,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
sn: ldapuser
loginShell:/bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

# Group Creation
dn: cn=ldapuser,ou=Group,dc=omnia,dc=test
objectClass: posixGroup
cn: ldapuser
gidNumber: 2000
memberUid: ldapuser

Note

Avoid whitespaces when using an LDIF file for user creation. Extra spaces in the input data may be encrypted by OpenLDAP and cause access failures.

  1. Run the command ldapadd -D <enter admin binddn > -w < bind_password > -f create_user.ldif to execute the LDIF file and create the account.

  2. To set up a password for this account, use the command ldappasswd -D <enter admin binddn > -w < bind_password > -S <user_dn>. The value of user_dn is the distinguished name that indicates where the user was created. (In this example, uid=ldapuser,ou=People,dc=omnia,dc=test)

Setting up Passwordless SSH for the OpenLDAP users

Once user accounts are created, admins can enable password-less SSH for users to run HPC jobs on the cluster nodes.

Note

Once user accounts are created on the auth server, use the accounts to login to the cluster nodes to reset the password and create a corresponding home directory.

To customize your setup of password-less SSH, input custom parameters in input/passwordless_ssh_config.yml:

Parameter

Details
user_name

string Required
The list of users that requires passwordless SSH. Separate the list of users using a comma.

Example: user1,user2,user3
authentication_type

string Required

Indicates whether LDAP is in use on the cluster.

Choices: ldap <- Default

Use the below command to enable password-less SSH:

ansible-playbook user_passwordless_ssh.yml -i inventory

Where inventory follows the format defined under inventory file in the provided Sample Files. The inventory file is case-sensitive. Follow the format provided in the sample file link.

Caution

Do not run SSH-keygen commands after password-less SSH is set up on the nodes.

Configuring login node security

Prerequisites

  • Ensure that the following entry is present in the input/software_config.json:

    {"name": "secure_login_node"}

  • Run local_repo.yml to create an offline repository of all utilities used to secure the login node. For more information, click here.

  • For secure login node functionality, ensure to add the login group in the provided inventory file.

Enter the following parameters in input/login_node_security_config.yml.

Variable

Details
max_failures

integer Optional

The number of login failures that can take place before the account is locked out.

Default values: 3
failure_reset_interval

integer Optional

Period (in seconds) after which the number of failed login attempts is reset. Min value: 30; Max value: 60.

Default values: 60
lockout_duration

integer Optional

Period (in seconds) for which users are locked out. Min value: 5; Max value: 10.

Default values: 10
session_timeout

integer Optional

User sessions that have been idle for a specific period can be ended automatically. Min value: 90; Max value: 180.

Default values: 180
alert_email_address

string Optional

Email address used for sending alerts in case of authentication failure. When blank, authentication failure alerts are disabled. User can mention multiple comma-separated alert email addresses. Example:

alert_email_address: "user1@domain.com,user2@domain.com"
smtp_server

string Optional

This parameter will be applicable only when alert_email_address is provided. This variable contains the SMTP server details configured on the cluster, from where the email alerts would be sent in case of authentication failures. Currently, Omnia only supports configuration of a single SMTP server on the cluster. The SMTP server should be reachable from the login_node to receive the email alerts. Example:

smtp_server:
  - { host: "smtp-server.domain.com", port: "25", sender_address: "alert@domain.com" }"
user

string Optional

Access control list of users. Accepted formats are username@ip (root@1.2.3.4) or username (root). Multiple users can be separated using whitespaces.
allow_deny

string Optional

This variable decides whether users are to be allowed or denied access. Ensure that AllowUsers or DenyUsers entries on sshd configuration file are not commented.

Choices:

  • allow <- Default

  • deny
restrict_program_support

boolean Optional

This variable is used to disable services. Root access is mandatory.

Choices:

  • false <- Default

  • true
restrict_softwares

string Optional

List of services to be disabled (Comma-separated). Example: ‘telnet,lpd,bluetooth’

Choices:

  • telnet

  • lpd

  • bluetooth

  • rlogin

  • rexec

Advanced Settings

  • To replicate the OpenLDAP server click here.

  • To set up the internal OpenLDAP server as a proxy, click here.

If you have any feedback about Omnia documentation, please reach out at omnia.readme@dell.com.