Centralized authentication on the cluster

The security feature allows users to set up FreeIPA and LDAP to help authenticate into HPC clusters.

Configuring FreeIPA/LDAP security

Pre requisites

• Run local_repo.yml to create offline repositories of FreeIPA or OpenLDAP. If both were downloaded, ensure that the non-required system is removed from input/software_config.json before running security.yml. For more information, click here.

• Enter the following parameters in input/security_config.yml.

Parameters for Authentication

Parameter	Details
domain_name string Required	Sets the intended domain name. If dc=omnia,dc=test, Provide omnia.test If dc=dell,dc=omnia,dc=com Provide dell.omnia.com Default values: omnia.test

Parameters for OpenLDAP configuration

Parameter	Details
ldap_connection_type string Required	For a TLS connection, provide a valid certification path. For an SSL connection, ensure port 636 is open. Choices: TLS <- Default SSL
tls_ca_certificate string Optional	File path pointing to the Certificate Authority (CA) issued certificate path. Certificate files should be saved with a .pem or .crt extension. If not provided, a self-signed certificate is generated by Omnia.
tls_certificate string Optional	File path pointing to the certificate used to authorize the LDAP server. Certificate files should be saved with a .pem or .crt extension.
tls_certificate_key string Optional	The private key that matches the LDAP certificate.
openldap_db_username string Required	The username used to manage the LDAP database. Default value: "admin"
openldap_db_password string Required	The password used to configure and manage the LDAP database. Ensure that this value is 8 characters long.
openldap_config_username string Required	The username used to configure the LDAP database. Default value: "admin"
openldap_config_password string Required	The password used to configure the LDAP database. Ensure that this value is 8 characters long.
openldap_monitor_password string Required	The password used to monitor the LDAP database. Ensure that this value is 8 characters long.
openldap_organization string Required	LDAP server is configured using organizations. They are necessary for user creation and group mapping. Default value: "omnia"
openldap_organizationational_unit string Required	LDAP server is configured using organizations. They are necessary for user creation and group mapping. Default value: "People"

Parameters for FreeIPA configuration

Parameter	Details
realm_name string Required	Sets the intended kerberos realm name. It is required for FreeIPA setups. A realm name is often, but not always the upper case version of the name of the DNS domain over which it presides. Default value: "OMNIA.TEST"
directory_manager_password string Required	The directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. The password must not contain -,, ‘,”
kerberos_admin_password string Required	kerberos_admin_password used by IPA admin user. The IPA server requires an administrative user, named ‘admin’. The password must be at least 8 characters long. The password must not contain -,, ‘,”

[1]

Boolean parameters do not need to be passed with double or single quotes.

Create a new user on OpenLDAP

1. Create an LDIF file (eg: create_user.ldif) on the auth server containing the following information:

   • DN: The distinguished name that indicates where the user will be created.

   • objectClass: The object class specifies the mandatory and optional attributes that can be associated with an entry of that class. Here, the values are inetOrgPerson, posixAccount, and shadowAccount.

   • UID: The username of the replication user.

   • sn: The surname of the intended user.

   • cn: The given name of the intended user.

Below is a sample file:

# User Creation
dn: uid=ldapuser,ou=People,dc=omnia,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
sn: ldapuser
loginShell:/bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

# Group Creation
dn: cn=ldapuser,ou=Group,dc=omnia,dc=test
objectClass: posixGroup
cn: ldapuser
gidNumber: 2000
memberUid: ldapuser

Note

Avoid whitespaces when using an LDIF file for user creation. Extra spaces in the input data may be encrypted by OpenLDAP and cause access failures.

2. Run the command ldapadd -D <admin database username> -w <admin database password> -f create_user.ldif to execute the LDIF file and create the account.

3. To set up a password for this account, use the command ldappasswd -D <admin database username> -w <admin database password> -S <user_dn>. The value of user_dn is the distinguished name that indicates where the user was created. (In this example, ldapuser,ou=People,dc=omnia,dc=test)

Configuring login node security

Prerequisites

• Run local_repo.yml to create an offline repository of all utilities used to secure the login node. For more information, click here.

Enter the following parameters in input/login_node_security_config.yml.

Variable	Details
max_failures integer Optional	The number of login failures that can take place before the account is locked out. Default values: 3
failure_reset_interval integer Optional	Period (in seconds) after which the number of failed login attempts is reset. Min value: 30; Max value: 60. Default values: 60
lockout_duration integer Optional	Period (in seconds) for which users are locked out. Min value: 5; Max value: 10. Default values: 10
session_timeout integer Optional	User sessions that have been idle for a specific period can be ended automatically. Min value: 90; Max value: 180. Default values: 180
alert_email_address string Optional	Email address used for sending alerts in case of authentication failure. When blank, authentication failure alerts are disabled. Currently, only one email ID is accepted.
user string Optional	Access control list of users. Accepted formats are username@ip (root@1.2.3.4) or username (root). Multiple users can be separated using whitespaces.
allow_deny string Optional	This variable decides whether users are to be allowed or denied access. Ensure that AllowUsers or DenyUsers entries on sshd configuration file are not commented. Choices: allow <- Default deny
restrict_program_support boolean Optional	This variable is used to disable services. Root access is mandatory. Choices: false <- Default true
restrict_softwares string Optional	List of services to be disabled (Comma-separated). Example: ‘telnet,lpd,bluetooth’ Choices: telnet lpd bluetooth rlogin rexec

Installing LDAP Client

Caution

No users/groups will be created by Omnia.

FreeIPA installation on the NFS node

IPA services are used to provide account management and centralized authentication.

To customize your installation of FreeIPA, enter the following parameters in input/security_config.yml.

Input Parameter	Definition	Variable value
kerberos_admin_password	“admin” user password for the IPA server on RockyOS and RedHat.	The password can be found in the file input/security_config.yml .
ipa_server_hostname	The hostname of the IPA server	The hostname can be found on the manager node.
domain_name	Domain name	The domain name can be found in the file input/security_config.yml.
ipa_server_ipadress	The IP address of the IPA server	The IP address can be found on the IPA server on the manager node using the ip a command. This IP address should be accessible from the NFS node.

To set up IPA services for the NFS node in the target cluster, run the following command from the utils/cluster folder on the control plane:

cd utils/cluster
ansible-playbook install_ipa_client.yml -i inventory -e kerberos_admin_password="" -e ipa_server_hostname="" -e domain_name="" -e ipa_server_ipadress=""

Hostname requirements

• The hostname should not contain the following characters: , (comma), . (period) or _ (underscore). However, the domain name is allowed commas and periods.

• The hostname cannot start or end with a hyphen (-).

• No upper case characters are allowed in the hostname.

• The hostname cannot start with a number.

• The hostname and the domain name (that is: hostname00000x.domain.xxx) cumulatively cannot exceed 64 characters. For example, if the node_name provided in input/provision_config.yml is ‘node’, and the domain_name provided is ‘omnia.test’, Omnia will set the hostname of a target cluster node to ‘node000001.omnia.test’. Omnia appends 6 digits to the hostname to individually name each target node.

Note

Use the format specified under NFS inventory in the Sample Files for inventory.

Running the security role

Run:

cd security
ansible-playbook security.yml -i inventory

The inventory should contain auth_server as per the inventory file in samplefiles. The inventory file is case-sensitive. Follow the format provided in the sample file link.

• Do not include the IP of the control plane or local host in the auth_server group in the passed inventory.

• To customize the security features on the login node, fill out the parameters in input/login_node_security_config.yml.

• If a subsequent run of security.yml fails, the security_config.yml file will be unencrypted.

Caution

No users will be created by Omnia.

• How to replicate LDAP

If you have any feedback about Omnia documentation, please reach out at omnia.readme@dell.com.