[Bioclusters] pointers on cluster integration with MS active directory environments

Chris Dagdigian dag at sonsorol.org
Wed Aug 23 17:10:53 EDT 2006

Hi folks,

Figured I'd ask here before trying the beowulf list ...

I'm working with an organization that will be deploying a midsized  
life science oriented cluster in the next few months. This group is  
in the business of making new products, selling products and  
discovering/developing new products -- the message from the top down  
is that IT is a tool that they need to be able to use effectively but  
they don't want to be in the position of designing, managing and  
deploying lots of custom/complex or one-off IT solutions.

This means that their IT systems tend to be well designed, extremely  
well documented and focused on ease-of-maintenance. In many cases the  
solutions are designed with an eye towards handing off the day to day  
operation/management to a 3rd party infrastructure/operations  
provider or contractor.

The organization already has a robust and well-managed directory  
services infrastructure based on MS Windows and Active Directory.  
There is *strong* interest in extending this directory service into  
the realm of the biocluster so that they don't have to roll out and  
manage a totally separate access scheme for cluster users.

I've done enough work in the lab with AD, LDAP and Kerberos to know  
that Linux+Kerberos can usually play nicely and authenticate against  
Active Directory servers but I have not personally done this further  
than simple experimentation on test systems. Getting a single Linux  
box to authenticate against the domain is one thing; integrating 80+  
linux boxes is something different.

Have people on this list done Active Directory integration with full  
clusters? I'm interested in all pointers, war stories, product/vendor  
recommendations etc.  that people would be willing to share. Of  
particular concern to me is how to bring the directory/authentication  
info into the private cluster network so the compute nodes can make  
use of it -- some methods involve password synchronization and others  
seem to involve bringing an AD server directly onto the cluster  
network.  Only a few of the commercial Linux/Active Directory  
integration offerings seem to promise "minimal or zero" configuration  
changes on the actual domain server (a key point as I doubt we'll be  
allowed to mess with the domain servers much themselves).

I'll summarize any responses and can tell y'all how the project went  
sometime next year!


More information about the Bioclusters mailing list