Create a cluster with an AD domain
Warning
This introductory section describes how to set up AWS ParallelCluster with a Managed Active Directory (AD) server over the Lightweight Directory Access Protocol (LDAP). LDAP is an insecure protocol. For production systems, we strongly recommended the use of TLS certificates (LDAPS) as described in the Example AWS Managed Microsoft AD over LDAP(S) cluster configurations section that follows.
Configure your cluster to integrate with a directory by specifying the relevant
information in the DirectoryService
section of the cluster configuration file.
For more information, see the DirectoryService configuration
section.
You can use this following example to integrate your cluster with an AWS Managed Microsoft AD over the Lightweight Directory Access Protocol (LDAP).
Specific definitions that are required for an AWS Managed Microsoft AD over LDAP configuration:
-
You must set the
ldap_auth_disable_tls_never_use_in_production
parameter toTrue
under DirectoryService / AdditionalSssdConfigs. -
You can specify either controller hostnames or IP addresses for DirectoryService / DomainAddr.
-
DirectoryService / DomainReadOnlyUser syntax must be as follows:
cn=ReadOnly,ou=Users,ou=CORP,dc=
corp
,dc=example
,dc=com
Get your AWS Managed Microsoft AD configuration data:
$
aws ds describe-directories --directory-id
"d-abcdef01234567890"
{ "DirectoryDescriptions": [ { "DirectoryId": "d-abcdef01234567890", "Name": "corp.example.com", "DnsIpAddrs": [ "203.0.113.225", "192.0.2.254" ], "VpcSettings": { "VpcId": "vpc-021345abcdef6789", "SubnetIds": [ "subnet-1234567890abcdef0", "subnet-abcdef01234567890" ], "AvailabilityZones": [ "region-idb", "region-idd" ] } } ] }
Cluster configuration for an AWS Managed Microsoft AD:
Region: region-id Image: Os: alinux2 HeadNode: InstanceType: t2.micro Networking: SubnetId: subnet-1234567890abcdef0 Ssh: KeyName: pcluster Scheduling: Scheduler: slurm SlurmQueues: - Name: queue1 ComputeResources: - Name: t2micro InstanceType: t2.micro MinCount: 1 MaxCount: 10 Networking: SubnetIds: - subnet-abcdef01234567890 DirectoryService: DomainName: dc=corp,dc=example,dc=com DomainAddr: ldap://203.0.113.225,ldap://192.0.2.254 PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:MicrosoftAD.Admin.Password-1234 DomainReadOnlyUser: cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com AdditionalSssdConfigs: ldap_auth_disable_tls_never_use_in_production: True
To use this configuration for a Simple AD, change the
DomainReadOnlyUser
property value in the DirectoryService
section:
DirectoryService: DomainName: dc=corp,dc=example,dc=com DomainAddr: ldap://203.0.113.225,ldap://192.0.2.254 PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:SimpleAD.Admin.Password-1234 DomainReadOnlyUser: cn=ReadOnlyUser,cn=Users,dc=
corp
,dc=example
,dc=com
AdditionalSssdConfigs: ldap_auth_disable_tls_never_use_in_production: True
Considerations:
-
We recommend that you use LDAP over TLS/SSL (or LDAPS) rather than LDAP alone. TLS/SSL ensures that the connection is encrypted.
-
The DirectoryService / DomainAddr property value matches the entries in the
DnsIpAddrs
list from thedescribe-directories
output. -
We recommend that your cluster use subnets that are located in the same Availability Zone that the DirectoryService / DomainAddr points to. If you use custom Dynamic Host Configuration Protocol (DHCP) configuration that's recommended for directory VPCs and your subnets aren't located in the DirectoryService / DomainAddr Availability Zone, cross traffic among Availability Zones is possible. The use of custom DHCP configurations isn't required to use the multi-user AD integration feature.
-
The DirectoryService / DomainReadOnlyUser property value specifies a user that must be created in the directory. This user isn't created by default. We recommend that you don't give this user permission to modify directory data.
-
The DirectoryService / PasswordSecretArn property value points to an AWS Secrets Manager secret that contains the password of the user that you specified for the DirectoryService / DomainReadOnlyUser property. If this user’s password changes, update the secret value and update the cluster. To update the cluster for the new secret value, you must stop the compute fleet with the
pcluster update-compute-fleet
command. If you configured your cluster to use LoginNodes, stop the LoginNodes / Pools and update the cluster after setting LoginNodes / Pools / Count to 0. Then, run the following command from within the cluster head node.sudo /opt/parallelcluster/scripts/directory_service/update_directory_service_password.sh
For another example, see also Integrating Active Directory.