I should also note that we have been asked/hired to solve similar problems, though the question of how to deal with a potentially fragile AD implementation makes it more ... challenging. You can't have AD going down lock out cluster/HPC/DB jobs. Calls for some inventive/interesting solutions. Joe Joe Landman wrote: > www.centrify.com > > Chris Dagdigian wrote: >> >> Hi folks, >> >> Figured I'd ask here before trying the beowulf list ... >> >> I'm working with an organization that will be deploying a midsized >> life science oriented cluster in the next few months. This group is in >> the business of making new products, selling products and >> discovering/developing new products -- the message from the top down >> is that IT is a tool that they need to be able to use effectively but >> they don't want to be in the position of designing, managing and >> deploying lots of custom/complex or one-off IT solutions. >> >> This means that their IT systems tend to be well designed, extremely >> well documented and focused on ease-of-maintenance. In many cases the >> solutions are designed with an eye towards handing off the day to day >> operation/management to a 3rd party infrastructure/operations provider >> or contractor. >> >> The organization already has a robust and well-managed directory >> services infrastructure based on MS Windows and Active Directory. >> There is *strong* interest in extending this directory service into >> the realm of the biocluster so that they don't have to roll out and >> manage a totally separate access scheme for cluster users. >> >> I've done enough work in the lab with AD, LDAP and Kerberos to know >> that Linux+Kerberos can usually play nicely and authenticate against >> Active Directory servers but I have not personally done this further >> than simple experimentation on test systems. Getting a single Linux >> box to authenticate against the domain is one thing; integrating 80+ >> linux boxes is something different. >> >> Have people on this list done Active Directory integration with full >> clusters? I'm interested in all pointers, war stories, product/vendor >> recommendations etc. that people would be willing to share. Of >> particular concern to me is how to bring the directory/authentication >> info into the private cluster network so the compute nodes can make >> use of it -- some methods involve password synchronization and others >> seem to involve bringing an AD server directly onto the cluster >> network. Only a few of the commercial Linux/Active Directory >> integration offerings seem to promise "minimal or zero" configuration >> changes on the actual domain server (a key point as I doubt we'll be >> allowed to mess with the domain servers much themselves). >> >> I'll summarize any responses and can tell y'all how the project went >> sometime next year! >> >> Regards, >> Chris >> >> >> >> >> _______________________________________________ >> Bioclusters maillist - Bioclusters at bioinformatics.org >> https://bioinformatics.org/mailman/listinfo/bioclusters > > -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics LLC, email: landman at scalableinformatics.com web : http://www.scalableinformatics.com phone: +1 734 786 8423 fax : +1 734 786 8452 or +1 866 888 3112 cell : +1 734 612 4615