Create a cluster with an AD domain

Warning

This introductory section describes how to set up AWS ParallelCluster with a Managed Active Directory (AD) server over the Lightweight Directory Access Protocol (LDAP). LDAP is an insecure protocol. For production systems, we strongly recommended the use of TLS certificates (LDAPS) as described in the Example AWS Managed Microsoft AD over LDAP(S) cluster configurations section that follows.

Configure your cluster to integrate with a directory by specifying the relevant information in the DirectoryService section of the cluster configuration file. For more information, see the DirectoryService configuration section.

You can use this following example to integrate your cluster with an AWS Managed Microsoft AD over the Lightweight Directory Access Protocol (LDAP).

Specific definitions that are required for an AWS Managed Microsoft AD over LDAP configuration:

You must set the ldap_auth_disable_tls_never_use_in_production parameter to True under DirectoryService / AdditionalSssdConfigs.
You can specify either controller hostnames or IP addresses for DirectoryService / DomainAddr.
DirectoryService / DomainReadOnlyUser syntax must be as follows:
```
cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
```

Get your AWS Managed Microsoft AD configuration data:


$ aws ds describe-directories --directory-id "d-abcdef01234567890"


{
    "DirectoryDescriptions": [
        {
            "DirectoryId": "d-abcdef01234567890",
            "Name": "corp.example.com",
            "DnsIpAddrs": [
                "203.0.113.225",
                "192.0.2.254"
            ],
            "VpcSettings": {
                "VpcId": "vpc-021345abcdef6789",
                "SubnetIds": [
                    "subnet-1234567890abcdef0",
                    "subnet-abcdef01234567890"
                ],
                "AvailabilityZones": [
                    "region-idb",
                    "region-idd"
                ]
            }
        }
    ]
}

Cluster configuration for an AWS Managed Microsoft AD:


Region: region-id
Image:
  Os: alinux2
HeadNode:
  InstanceType: t2.micro
  Networking:
    SubnetId: subnet-1234567890abcdef0
  Ssh:
    KeyName: pcluster
Scheduling:
  Scheduler: slurm
  SlurmQueues:
    - Name: queue1
      ComputeResources:
        - Name: t2micro
          InstanceType: t2.micro
          MinCount: 1
          MaxCount: 10
      Networking:
        SubnetIds:
          - subnet-abcdef01234567890
DirectoryService:
  DomainName: dc=corp,dc=example,dc=com
  DomainAddr: ldap://203.0.113.225,ldap://192.0.2.254
  PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:MicrosoftAD.Admin.Password-1234
  DomainReadOnlyUser: cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  AdditionalSssdConfigs:
    ldap_auth_disable_tls_never_use_in_production: True

To use this configuration for a Simple AD, change the DomainReadOnlyUser property value in the DirectoryService section:


DirectoryService:
  DomainName: dc=corp,dc=example,dc=com
  DomainAddr: ldap://203.0.113.225,ldap://192.0.2.254
  PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:SimpleAD.Admin.Password-1234
  DomainReadOnlyUser: cn=ReadOnlyUser,cn=Users,dc=corp,dc=example,dc=com
  AdditionalSssdConfigs:
    ldap_auth_disable_tls_never_use_in_production: True

Considerations:

We recommend that you use LDAP over TLS/SSL (or LDAPS) rather than LDAP alone. TLS/SSL ensures that the connection is encrypted.
The DirectoryService / DomainAddr property value matches the entries in the DnsIpAddrs list from the describe-directories output.
We recommend that your cluster use subnets that are located in the same Availability Zone that the DirectoryService / DomainAddr points to. If you use custom Dynamic Host Configuration Protocol (DHCP) configuration that's recommended for directory VPCs and your subnets aren't located in the DirectoryService / DomainAddr Availability Zone, cross traffic among Availability Zones is possible. The use of custom DHCP configurations isn't required to use the multi-user AD integration feature.
The DirectoryService / DomainReadOnlyUser property value specifies a user that must be created in the directory. This user isn't created by default. We recommend that you don't give this user permission to modify directory data.
The DirectoryService / PasswordSecretArn property value points to an AWS Secrets Manager secret that contains the password of the user that you specified for the DirectoryService / DomainReadOnlyUser property. If this user’s password changes, update the secret value and update the cluster. To update the cluster for the new secret value, you must stop the compute fleet with the pcluster update-compute-fleet command. If you configured your cluster to use LoginNodes, stop the LoginNodes / Pools and update the cluster after setting LoginNodes / Pools / Count to 0. Then, run the following command from within the cluster head node.
```
 sudo /opt/parallelcluster/scripts/directory_service/update_directory_service_password.sh
```

For another example, see also Integrating Active Directory.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create an Active Directory