User synchronization across cluster

[Kellen O'Connor]

Does stacki have any features to facilitate user account synchronization across a cluster? I have an interest in using OpenLDAP -> Active Directory authentication on the headnode, and was wondering if there were any easy way to force backend nodes to replicate user accounts/passwords. If not, are there any solutions in mind? I had thought about making an OpenLDAP proxy on the headnode to facilitate AD requests on the backend nodes, but it's giving me a little bit of trouble, and may be more complicated than needed if there's a feature I'm not aware of.

[Joe Kaiser]

Stacki doesn't have account sync natively though we have seen some ways of handling it. 

In the previous enterprise version, we used Salt to sync user configuration but that was assuming Unix uid/gid served from the frontend. 

We have had a few clients in the past who have used LDAP/AD authentication by using sssd on frontend and backends. I have old config files lying around. But those deployments assumed backends could get to the LDAP/AD servers. 

It was a hard solution to test because we never had LDAP/AD systems internally to figure it out for enterprise solutions. 

In most deployments we've seen, rarely are users allowed on backends, but if you're serving files and accounts from NFS or other network storage, I can see why you may need them everywhere. 

Ansible might be a good fit here also. 

Thanks,

Joe

On Thu, Jan 25, 2018 at 9:42 AM, Kellen O'Connor <kellen.t...@temple.edu> wrote:

Does stacki have any features to facilitate user account synchronization across a cluster? I have an interest in using OpenLDAP -> Active Directory authentication on the headnode, and was wondering if there were any easy way to force backend nodes to replicate user accounts/passwords. If not, are there any solutions in mind? I had thought about making an OpenLDAP proxy on the headnode to facilitate AD requests on the backend nodes, but it's giving me a little bit of trouble, and may be more complicated than needed if there's a feature I'm not aware of.

--
You received this message because you are subscribed to the Google Groups "stacki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to stacki+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kellen O'Connor]

Thanks so much. I'll look into a possible fix with ansible. 

You received this message because you are subscribed to a topic in the Google Groups "stacki" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/stacki/YTjNtSVGr20/unsubscribe.
To unsubscribe from this group and all its topics, send an email to stacki+unsubscribe@googlegroups.com.