Create a cluster with an AD domain - AWS ParallelCluster

Create a cluster with an AD domain

Warning

This introductory section describes how to set up AWS ParallelCluster with a Managed Active Directory (AD) server over the Lightweight Directory Access Protocol (LDAP). LDAP is an insecure protocol. For production systems, we strongly recommended the use of TLS certificates (LDAPS) as described in the Example AWS Managed Microsoft AD over LDAP(S) cluster configurations section that follows.

Configure your cluster to integrate with a directory by specifying the relevant information in the DirectoryService section of the cluster configuration file. For more information, see the DirectoryService configuration section.

You can use this following example to integrate your cluster with an AWS Managed Microsoft AD over the Lightweight Directory Access Protocol (LDAP).

Specific definitions that are required for an AWS Managed Microsoft AD over LDAP configuration:

Get your AWS Managed Microsoft AD configuration data:

$ aws ds describe-directories --directory-id "d-abcdef01234567890"
{ "DirectoryDescriptions": [ { "DirectoryId": "d-abcdef01234567890", "Name": "corp.example.com", "DnsIpAddrs": [ "203.0.113.225", "192.0.2.254" ], "VpcSettings": { "VpcId": "vpc-021345abcdef6789", "SubnetIds": [ "subnet-1234567890abcdef0", "subnet-abcdef01234567890" ], "AvailabilityZones": [ "region-idb", "region-idd" ] } } ] }

Cluster configuration for an AWS Managed Microsoft AD:

Region: region-id Image: Os: alinux2 HeadNode: InstanceType: t2.micro Networking: SubnetId: subnet-1234567890abcdef0 Ssh: KeyName: pcluster Scheduling: Scheduler: slurm SlurmQueues: - Name: queue1 ComputeResources: - Name: t2micro InstanceType: t2.micro MinCount: 1 MaxCount: 10 Networking: SubnetIds: - subnet-abcdef01234567890 DirectoryService: DomainName: dc=corp,dc=example,dc=com DomainAddr: ldap://203.0.113.225,ldap://192.0.2.254 PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:MicrosoftAD.Admin.Password-1234 DomainReadOnlyUser: cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com AdditionalSssdConfigs: ldap_auth_disable_tls_never_use_in_production: True

To use this configuration for a Simple AD, change the DomainReadOnlyUser property value in the DirectoryService section:

DirectoryService: DomainName: dc=corp,dc=example,dc=com DomainAddr: ldap://203.0.113.225,ldap://192.0.2.254 PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:SimpleAD.Admin.Password-1234 DomainReadOnlyUser: cn=ReadOnlyUser,cn=Users,dc=corp,dc=example,dc=com AdditionalSssdConfigs: ldap_auth_disable_tls_never_use_in_production: True
Considerations:
  • We recommend that you use LDAP over TLS/SSL (or LDAPS) rather than LDAP alone. TLS/SSL ensures that the connection is encrypted.

  • The DirectoryService / DomainAddr property value matches the entries in the DnsIpAddrs list from the describe-directories output.

  • We recommend that your cluster use subnets that are located in the same Availability Zone that the DirectoryService / DomainAddr points to. If you use custom Dynamic Host Configuration Protocol (DHCP) configuration that's recommended for directory VPCs and your subnets aren't located in the DirectoryService / DomainAddr Availability Zone, cross traffic among Availability Zones is possible. The use of custom DHCP configurations isn't required to use the multi-user AD integration feature.

  • The DirectoryService / DomainReadOnlyUser property value specifies a user that must be created in the directory. This user isn't created by default. We recommend that you don't give this user permission to modify directory data.

  • The DirectoryService / PasswordSecretArn property value points to an AWS Secrets Manager secret that contains the password of the user that you specified for the DirectoryService / DomainReadOnlyUser property. If this user’s password changes, update the secret value and update the cluster. To update the cluster for the new secret value, you must stop the compute fleet with the pcluster update-compute-fleet command. If you configured your cluster to use LoginNodes, stop the LoginNodes / Pools and update the cluster after setting LoginNodes / Pools / Count to 0. Then, run the following command from within the cluster head node.

    sudo /opt/parallelcluster/scripts/directory_service/update_directory_service_password.sh

For another example, see also Integrating Active Directory.