Advice on user management

Issues related to applications and software problems and general support
Post Reply
mazellan
Posts: 10
Joined: 2018/01/25 19:42:28
Location: Sweden

Advice on user management

Post by mazellan » 2020/09/28 06:54:01

Hi!

we are about to install a new medium/small computer cluster with centos 8. It will consist of 20 nodes and 30-40 users. There will be about 10-15 guest users that comes and goes per year. There will probably be tree user categories with different privileges, user, lightweight-user and guest.

My question is; which user management system is the *best*?

By *best* I mean a good balance between time spent setting it up and the gain in management.

In the old cluster we used a NIS server for this. I have been looking at openLDAP and freeIPA (no previous experience in setting up those) (OT. freeIPA has by far the coolest name :mrgreen: ). But... are they overkill? Any other suggestion?


Thanks in advance.

User avatar
TrevorH
Forum Moderator
Posts: 29902
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Advice on user management

Post by TrevorH » 2020/09/28 07:29:32

If it makes your choice easier, I'm pretty sure that RH have announced that NIS is deprecated in el8 nad likely to be removed in 9. Openldap has already gone that route and has been removed from el8 so that leaves you with freeipa from your list. I'd add 389-ds in there as an extra choice.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 3172
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Advice on user management

Post by jlehtone » 2020/09/28 07:34:38

We had NIS a long time ago. Some compute clusters have continued with NIS as it is supposedly "light".
We did move into openLDAP from NIS and then did add Kerberos. CentOS 8 does not have openLDAP server.

I did look at freeIPA this summer and saw its list of components. Most of those we already had in some form.
FreeIPA has Directory Server (389-ds) instead of openLDAP server, so we migrated from openLDAP to 389-ds
rather than installing whole freeIPA.


However, in compute clusters we have done something different. All accounts are local, created in each machine.
Compute cluster is used with SLURM, which by default uses munged for job authentication.
Home and work directories are mounted from file servers, so each machine sees the same files.
Only ssh keypair authentication is allowed.

How do we configure/manage those systems and accounts? With Ansible. See https://docs.ansible.com/ansible/latest/index.html
There are many configuration management systems. See https://wiki.centos.org/SpecialInterest ... agementSIG

Why did we choose Ansible? A national grid of clusters has it in use, so there was an incentive/synergy to learn that tool.

If you want to test ansible, then:

Code: Select all

sudo dnf install centos-release-ansible-29 # repository definition from extras repo
sudo dnf install ansible # install tool from the centos-ansible-29 repo
Ansible can/should be run as regular user. (It can use sudo.)


There is no *best*. There are tools that you know how to use. You choose from them (or are forced learn a new tool, properly).

mazellan
Posts: 10
Joined: 2018/01/25 19:42:28
Location: Sweden

Re: Advice on user management

Post by mazellan » 2020/09/28 07:39:53

ok, I read somewhere that freeIPA also was depreciated from 8(?). Not true then I guess? I'll have a look at 389-ds. Which one of them would you recommend? (least pain for a moderately skilled adm)

A possible future application would be an internal website. Can one use any of those two for handling the login? If so, is it fairly easy to set it up? Otherwise I think I will restrict the internal pages with some other "ugly-hack" :)

EDIT:
Thank you jlehtone (my answer above was to trevor). I will have a look at ansible

User avatar
jlehtone
Posts: 3172
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Advice on user management

Post by jlehtone » 2020/09/28 08:14:27

CentOS 8 has 389-ds, but the "stream" is not enabled by default. To get dirsrv:

Code: Select all

sudo dnf module enable 389-ds # enable the AppStream module
sudo dnf install 389-ds-base # install directory server
I seem to have configured an instance with:

Code: Select all

sudo dscreate -v interactive

I think that Apache can be configured to use PAM for authentication.

centibod
Posts: 8
Joined: 2017/09/16 10:40:17

Re: Advice on user management

Post by centibod » 2020/09/28 17:05:13

We switched from NIS to IPA for our new CentOS 8 cluster build. 50 nodes, 100 users (and growing) and it's being performing well.

There's a learning curve to it sure, but stick it on a test VM and have a play and it doesn't take long to get your head around. The GUI helps too. Letting it do DNS also helps, although we gave it a private domain name to keep it happy and use publically registered (and different) names for the few machines that need to be seen externally.

All managed via ansible too, with fairly simple playbooks in the end. Happy to share if it'll help.

AsstInverter
Posts: 3
Joined: 2020/07/30 10:28:52

Re: Advice on user management

Post by AsstInverter » 2020/10/05 10:55:39

I can't comment with too much authority on the fitness for your particular sitation, but FreeIPA has treated our little company very, very well. (About a dozen workstations and as many compute nodes across three sites.)

Post Reply

Return to “CentOS 8 - General Support”