1. Home
  2. User Management
  3. How do I configure Bright to authenticate against an external NIS server?

How do I configure Bright to authenticate against an external NIS server?

The examples in this article assume:

A Type 1 network. A Type 1 network is the networking layout where basically the regular nodes are on an internal network that is under the head node, and it is only the head that optionally connects externally.

A NIS server that is outside the internal network.

The IP address of the NIS server is 10.2.185.122 and that the NIS domain name is cp-domain.

A user testuser defined in the passwd map with uid 1001.

The reader knows if it is necessary to mount the home directories of the users from a different NFS server. The reader also knows how to configure it.

This procedure was tested in Bright 8.0 and Bright 7.3, but it should work for previous versions of Bright without modifications. This article applies to both RHEL 7 and RHEL 6 distributions and their derivatives.

The simplest scenario is described first. Modifications are elaborated upon later.
 

Scenario 1: The users authenticate only against the NIS server

Configure the head node

To configure the head node, the LDAP healthcheck should be disabled:

In Bright 7.3 and previous versions, the following command should used.
# cmsh -c "monitoring setup healthconf headnode; use ldap; set disabled yes; commit"

In Bright 8.0, the following command should be used.
# cmsh -c "monitoring setup; use ldap; set disabled yes; commit"

The LDAP service should then be disabled:
# cmsh -c "device use master; services; use slapd; set autostart no; set monitored no; commit; stop"

The required packages should be installed:
# yum install yp-tools ypbind

The file /etc/yp.conf should be edited with the following content:

domain cp-domain server 10.2.185.122

The /etc/nsswitch.conffile should have the following entries modified:

passwd:     files nis

shadow:     files nis

group:      files nis

The ypbind service should be added to Bright:

#cmsh -c "device use master; services; add ypbind; set monitored yes; set autostart yes; commit"

Disable PAM LDAP configuration:

# authconfig --savebackup=pamldap

# authconfig --disableldapauth --disableldap --update

Configure the software images

The required packages have to be installed (do this step once for every software image):

# yum --installroot=/cm/images/<software_image> install yp-tools ypbind

The/etc/yp.conf file in every software image should be edited to have the following content:

domain cp-domain server 10.2.185.122

The /etc/nsswitch.conf file in every software image should be modified with the following entries:

passwd:     files nis

shadow:     files nis

group:      files nis

Disable PAM LDAP configuration, to do this it’s necessary to chroot into each software image and run the following commands:

# authconfig --savebackup=pamldap

# authconfig --disableldapauth --disableldap --update

All compute nodes should then be rebooted.

The  ypbind service should be added to every category:

# cmsh -c "category; foreach * (services; add ypbind; set monitored yes; set autostart yes); commit"

Test

On the head node the following command should be run and its output checked:|
# id testuser

uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)

A node should then be booted by the administrator with the new software image, and the following command run on it:

# id testuser

uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)

Scenario 2: The users authenticate against Bright LDAP and the NIS server

Having duplicate UIDs between the Bright LDAP and the NIS server leads to conflict. These should therefore be checked for, and cleaned up.

Configure the head node

The required packages must be installed:
# yum install yp-tools ypbind

The file/etc/yp.conf should have the following content edited:
domain cp-domain server 10.2.185.122

The /etc/nsswitch.conf file should have the entries for passwd, shadow and group modified by adding nis to their entries. For example, in CentOS 7 the entries would be like this:

passwd:     files sss ldap nis

shadow:     files sss ldap nis

group:      files sss ldap nis

The ypbind service should be added to Bright:

#cmsh -c "device use master; services; add ypbind; set monitored yes; set autostart yes; commit"

Configure the software images

The required packages have to be installed (do this step once for every software image):

# yum --installroot=/cm/images/<software_image> install yp-tools ypbind

The /etc/yp.conf file in every software image should be edited to have the following content:

domain cp-domain server 10.2.185.122

The /etc/nsswitch.conf file in every software image should be modified with the following entries:

passwd:     files nis

shadow:     files nis

group:      files nis

All compute nodes should then be rebooted.

The  ypbind service should be added to Bright in every category:
# cmsh -c "category; foreach * (services; add ypbind; set monitored yes; set autostart yes); commit"

Test

On the head node the following commands should be run, and the output checked:
# id cmsupport

uid=1000(cmsupport) gid=1000(cmsupport) groups=1000(cmsupport)

# id testuser

uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)

Boot a node with the new software image. Then run the following commands and check the output:
# id cmsupport

uid=1000(cmsupport) gid=1000(cmsupport) groups=1000(cmsupport)

# id testuser

uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)

Automounter configuration

If the automounter maps are to be loaded from the NIS server, some additional steps are required.

In this example it is assumed that the automounter maps are correct and that they do not reference local maps.

Important note
 

Filesystems mounted dynamically, that is, with an auto-mounter, cannot have their appearance or disappearance detected reliably.

To protect the filesystem from being wiped out accidentally by any live update operation, Bright stops any live update operation, including imageupdate and updateprovisioners. If disabling this feature is desired, then “AllowImageUpdateWithAutoMount=2” must be added to the list of advanced configurations in /cm/local/apps/cmd/etc/cmd.conf on the head node, and the cmd service should then be restarted in order to activate the change.
 
Any filesystem that may be imported via an auto-mount operation must explicitly be excluded by the administrator, by manually adding the filesystem to the update exclude list. This is to prevent an incorrect execution of imageupdate. Neglecting to do this may wipe out the filesystem, if it happens to be automounted in the middle of an imageupdate operation. For example, if /data is automounted and an “imageupdate” is performed while /data was originally not mounted, then it will get wiped out by the imageupdate command, because the provisioning sub-system does not detect that /data is an NFS share, thus wiping out the shared storage.

Configure the head node

The required package must be installed:
# yum install autofs

The /etc/nsswitch.conf file should be edited, and the entry for automount should be modified by substituting ldap for nis at the end. For example in CentOS 7 the entry would be like this:

automount: files nis

The autofs service should be added to Bright:

# cmsh -c "device use master; services; add autofs; set monitored yes; set autostart yes; commit"

Configure the software images

The required package must be installed in every software image:

# yum --installroot=/cm/images/<software_image> install autofs

The/etc/nsswitch.conf file should be edited in every software image, and the entry for automount modified by substituting ldap for nis at the end. For example in CentOS 7 the entry would be like this:

automount: files nis

The autofs service should be added to Bright in every category:

# cmsh -c "category; foreach * (services; add autofs; set monitored yes; set autostart yes); commit"

Test

To check all is well, one of the directories referenced by the automounter maps should be listed. This should be checked within the head node, and within a compute node (booted with the updated software image). The  mount command can be run to verify that the directory was mounted.

Updated on October 21, 2020

Related Articles

Leave a Comment