DirectoryService section

The Active Directory (AD) domain that you use for identity information.

DomainName accepts both the Fully Qualified Domain Name (FQDN) and LDAP Distinguished Name (DN) formats.

This property corresponds to the sssd-ldap parameter that's called ldap_search_base.

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

The URI or URIs that point to the AD domain controller that's used as the LDAP server. The URI corresponds to the SSSD-LDAP parameter that's called ldap_uri. The value can be a comma separated string of URIs. To use LDAP, you must add ldap:// to the beginning of the each URI.

Example values:

ldap://192.0.2.0,ldap://203.0.113.0          # LDAP
ldaps://192.0.2.0,ldaps://203.0.113.0        # LDAPS without support for certificate verification
ldaps://abcdef01234567890.corp.example.com  # LDAPS with support for certificate verification
192.0.2.0,203.0.113.0                        # Amazon ParallelCluster uses LDAPS by default

If you use LDAPS with certificate verification, the URIs must be hostnames.

If you use LDAPS without certificate verification or LDAP, URIs can be hostnames or IP addresses.

Use LDAP over TLS/SSL (LDAPS) to avoid transmission of passwords and other sensitive information over unencrypted channels. If Amazon ParallelCluster doesn't find a protocol, it adds ldaps:// to the beginning of each URI or hostname.

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

The Amazon Resource Name (ARN) of the Amazon Secrets Manager secret that contains the DomainReadOnlyUser plaintext password. The content of the secret corresponds to SSSD-LDAP parameter that's called ldap_default_authtok.

The LDAP client uses the password to authenticate to the AD domain as a DomainReadOnlyUser when requesting identity information.

If the user has the permission to DescribeSecret, PasswordSecretArn is validated. PasswordSecretArn is valid if the specified secret exists. If the user IAM policy doesn't include DescribeSecret, PasswordSecretArn isn't validated and a warning message is displayed. For more information, see Base Amazon ParallelCluster pcluster user policy.

When the value of the secret changes, the cluster isn't automatically updated. To update the cluster for the new secret value, you must stop the compute fleet with the pcluster update-compute-fleet command and then run the following command from within the head node.

$ sudo /opt/parallelcluster/scripts/directory_service/update_directory_service_password.sh

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

The identity that's used to query the AD domain for identity information when authenticating cluster user logins. It corresponds to SSSD-LDAP parameter that's called ldap_default_bind_dn. Use your AD identity information for this value.

Specify the identity in the form required by the specific LDAP client that's on the node:

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

The absolute path to a certificates bundle containing the certificates for every certification authority in the certification chain that issued a certificate for the domain controllers. It corresponds to the SSSD-LDAP parameter that's called ldap_tls_cacert.

A certificate bundle is a file that's composed of the concatenation of distinct certificates in PEM format, also known as DER Base64 format in Windows. It is used to verify the identity of the AD domain controller that is acting as the LDAP server.

Amazon ParallelCluster isn't responsible for initial placement of certificates onto nodes. As the cluster administrator, you can configure the certificate in the head node manually after the cluster is created or you can use a bootstrap script. Alternatively, you can use an Amazon Machine Image (AMI) that includes the certificate configured on the head node.

Simple AD doesn't provide LDAPS support. To learn how to integrate a Simple AD directory with Amazon ParallelCluster, see How to configure an LDAPS endpoint for Simple AD in the Amazon Security Blog.

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

Specifies what checks to perform on server certificates in a TLS session. It corresponds to SSSD-LDAP parameter that's called ldap_tls_reqcert.

Valid values: never, allow, try, demand, and hard.

never, allow, and try enable connections to proceed even if problems with certificates are found.

demand and hard enable communication to continue if no problems with certificates are found.

If the cluster administrator uses a value that doesn't require the certificate validation to succeed, a warning message is returned to the administrator. For security reasons, we recommend that you don't disable certificate verification.

The default value is hard.

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

Specifies a filter to limit directory access to a subset of users. This property corresponds to the SSSD-LDAP parameter that's called ldap_access_filter. You can use it to limit queries to an AD that supports a large number of users.

This filter can block user access to the cluster. However, it doesn't impact the discoverability of blocked users.

If this property is set, the SSSD parameter access_provider is set to ldap internally by Amazon ParallelCluster and must not be modified by DirectoryService / AdditionalSssdConfigs settings.

If this property is omitted and customized user access isn't specified in DirectoryService / AdditionalSssdConfigs, all users in the directory can access the cluster.

Examples:

"!(cn=SomeUser*)"  # denies access to every user with alias starting with "SomeUser"
"(cn=SomeUser*)"   # allows access to every user with alias starting with "SomeUser"
"memberOf=cn=TeamOne,ou=Users,ou=CORP,dc=corp,dc=example,dc=com" # allows access only to users in group "TeamOne".

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

Defines whether Amazon ParallelCluster generates an SSH key for cluster users immediately after their initial authentication on the head node.

If set to true, an SSH key is generated and saved to USER_HOME_DIRECTORY/.ssh/id_rsa, if it doesn't exist, for every user after their first authentication on the head node.

Users can use the SSH key for subsequent logins to the cluster head node and compute nodes. With Amazon ParallelCluster, password logins to cluster compute nodes are disabled by design. If a user hasn't logged into the head node, SSH keys aren't generated and the user won't be able to log in to compute nodes.

The default is true.

Update policy: The compute fleet must be stopped for this setting to be changed for an update.

A dict of key-value pairs containing SSSD parameters and values to write to the SSSD config file on cluster instances. For a full description of the SSSD configuration file, see the on-instance man pages for SSSD and related configuration files.

The SSSD parameters and values must be compatible with Amazon ParallelCluster's SSSD configuration as described in the following list.

The following configuration snippets are examples of valid configurations for AdditionalSssdConfigs.

This example enables debug level for SSSD logs, restricts the search base to a specific organizational unit, and disables credentials caching.

DirectoryService:
  ...
  AdditionalSssdConfigs:
    debug_level: "0xFFF0"
    ldap_search_base: OU=Users,OU=CORP,DC=corp,DC=example,DC=com
    cache_credentials: False

This example specifies the configuration of an SSSD simple access_provider. Users from the EngineeringTeam are provided access to the directory. DirectoryService / LdapAccessFilter must not be set in this case.

DirectoryService:
  ...
  AdditionalSssdConfigs:
    access_provider: simple
    simple_allow_groups: EngineeringTeam

Update policy: The compute fleet must be stopped for this setting to be changed for an update.