Centralized authentication on the cluster

The security feature allows cluster admin users to set up FreeIPA or OpenLDAP in order to allow or deny user access.

Configuring FreeIPA/OpenLDAP security

Note

Omnia supports OpenLDAP configuration on Ubuntu, RHEL, and Rocky Linux.

Note

FreeIPA configuration is not supported on Ubuntu.

Pre requisites

  • Run local_repo.yml to create offline repositories of FreeIPA or OpenLDAP. If both were downloaded, ensure that the non-required system is removed from input/software_config.json before running security.yml. For more information, click here.

  • Enter the following parameters in input/security_config.yml.

Parameters for Authentication

Parameter

Details
domain_name

string Required

  • Sets the intended domain name.

  • If dc=omnia,dc=test, Provide omnia.test

  • If dc=dell,dc=omnia,dc=com Provide dell.omnia.com

    Default values: omnia.test
Parameters for OpenLDAP configuration

Parameter

Details
ldap_connection_type

string Required

For a TLS connection, provide a valid certification path. For an SSL connection, ensure port 636 is open.

Choices:

  • TLS <- Default

  • SSL
tls_ca_certificate

string Optional

File path pointing to the Certificate Authority (CA) issued certificate path. Certificate files should be saved with a .pem or .crt extension. If not provided, a self-signed certificate is generated by Omnia.
tls_certificate

string Optional

File path pointing to the certificate used to authorize the LDAP server. Certificate files should be saved with a .pem or .crt extension.
tls_certificate_key

string Optional

The private key that matches the LDAP certificate.
openldap_db_username

string Required

The username used to manage the LDAP database.

Default value: "admin"
openldap_db_password

string Required

The password used to configure and manage the LDAP database. Ensure that this value is 8 characters long.
openldap_config_username

string Required

The username used to configure the LDAP database.

Default value: "admin"
openldap_config_password

string Required

The password used to configure the LDAP database. Ensure that this value is 8 characters long.
openldap_monitor_password

string Required

The password used to monitor the LDAP database. Ensure that this value is 8 characters long.
openldap_organization

string Required

LDAP server is configured using organizations. They are necessary for user creation and group mapping.

Default value: "omnia"
openldap_organizationational_unit

string Required

LDAP server is configured using organizations. They are necessary for user creation and group mapping.

Default value: "People"
Parameters for FreeIPA configuration

Parameter

Details
realm_name

string Required

  • Sets the intended kerberos realm name.

  • It is required for FreeIPA setups.

  • A realm name is often, but not always the upper case version of the name of the DNS domain over which it presides.

  • Default value: "OMNIA.TEST"
directory_manager_password

string Required

  • The directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA.

  • The password must be at least 8 characters long.

  • The password must not contain -,, ‘,”
kerberos_admin_password

string Required

  • kerberos_admin_password used by IPA admin user. The IPA server requires an administrative user, named ‘admin’.

  • The password must be at least 8 characters long.

  • The password must not contain -,, ‘,”
domain name

string Required

  • This variable is a mandatory requirement for FreeIPA setup

  • Default value: "omnia.test"

Running the security role

The wrapper playbook omnia.yml handles execution of the security or authentication role. Alternatively:

cd security
ansible-playbook security.yml -i inventory

The inventory should contain auth_server as per the inventory file in samplefiles. The inventory file is case-sensitive. Follow the format provided in the sample file link.

  • Do not include the IP of the control plane or local host as the auth_server group in the inventory file.

  • To customize the security features on the login node, update the desired parameters in input/login_node_security_config.yml.

  • If a subsequent run of security.yml fails, the security_config.yml file will be unencrypted.

Note

Installation of OpenLDAP server or FreeIPA server on Control Plane is not supported.

Caution

No users will be created by Omnia.

Create a new user on OpenLDAP

  1. Create an LDIF file (eg: create_user.ldif) on the auth server containing the following information:

    • DN: The distinguished name that indicates where the user will be created.

    • objectClass: The object class specifies the mandatory and optional attributes that can be associated with an entry of that class. Here, the values are inetOrgPerson, posixAccount, and shadowAccount.

    • UID: The username of the replication user.

    • sn: The surname of the intended user.

    • cn: The given name of the intended user.

Below is a sample file:

# User Creation
dn: uid=ldapuser,ou=People,dc=omnia,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
sn: ldapuser
loginShell:/bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

# Group Creation
dn: cn=ldapuser,ou=Group,dc=omnia,dc=test
objectClass: posixGroup
cn: ldapuser
gidNumber: 2000
memberUid: ldapuser

Note

Avoid whitespaces when using an LDIF file for user creation. Extra spaces in the input data may be encrypted by OpenLDAP and cause access failures.

  1. Run the command ldapadd -D <enter admin binddn > -w < bind_password > -f create_user.ldif to execute the LDIF file and create the account.

  2. To set up a password for this account, use the command ldappasswd -D <enter admin binddn > -w < bind_password > -S <user_dn>. The value of user_dn is the distinguished name that indicates where the user was created. (In this example, uid=ldapuser,ou=People,dc=omnia,dc=test)

Setting up Passwordless SSH for the OpenLDAP/FreeIPA users

Once user accounts are created, admins can enable passwordless SSH for users to run HPC jobs on the cluster nodes.

Note

Once user accounts are created on the auth server, use the accounts to login to the cluster nodes to reset the password and create a corresponding home directory.

To customize your setup of passwordless ssh, input parameters in input/passwordless_ssh_config.yml.

Parameter

Details
user_name

string Required
The list of users that requires password-less SSH. Separate the list of users using a comma.

Eg: user1,user2,user3
authentication_type

string Required

Indicates whether LDAP or FreeIPA is in use on the cluster.

Choices:

  • freeipa

  • ldap <- Default

Use the below command to enable passwordless SSH:

ansible-playbook user_passwordless_ssh.yml -i inventory

Where inventory follows the format defined under inventory file in the provided Sample Files. The inventory file is case-sensitive. Follow the format provided in the sample file link.

Caution

Do not run ssh-keygen commands after passwordless SSH is set up on the nodes.

Configuring login node security

Prerequisites

  • Run local_repo.yml to create an offline repository of all utilities used to secure the login node. For more information, click here.

Enter the following parameters in input/login_node_security_config.yml.

Variable

Details
max_failures

integer Optional

The number of login failures that can take place before the account is locked out.

Default values: 3
failure_reset_interval

integer Optional

Period (in seconds) after which the number of failed login attempts is reset. Min value: 30; Max value: 60.

Default values: 60
lockout_duration

integer Optional

Period (in seconds) for which users are locked out. Min value: 5; Max value: 10.

Default values: 10
session_timeout

integer Optional

User sessions that have been idle for a specific period can be ended automatically. Min value: 90; Max value: 180.

Default values: 180
alert_email_address

string Optional

Email address used for sending alerts in case of authentication failure. When blank, authentication failure alerts are disabled. Currently, only one email ID is accepted.
user

string Optional

Access control list of users. Accepted formats are username@ip (root@1.2.3.4) or username (root). Multiple users can be separated using whitespaces.
allow_deny

string Optional

This variable decides whether users are to be allowed or denied access. Ensure that AllowUsers or DenyUsers entries on sshd configuration file are not commented.

Choices:

  • allow <- Default

  • deny
restrict_program_support

boolean Optional

This variable is used to disable services. Root access is mandatory.

Choices:

  • false <- Default

  • true
restrict_softwares

string Optional

List of services to be disabled (Comma-separated). Example: ‘telnet,lpd,bluetooth’

Choices:

  • telnet

  • lpd

  • bluetooth

  • rlogin

  • rexec

Advanced Settings

  • To install FreeIPA server on the NFS node, click here.

  • To replicate the OpenLDAP server click here.

If you have any feedback about Omnia documentation, please reach out at omnia.readme@dell.com.