none
Securing LDAP calls in HPC2012R2_Update3_Full RRS feed

  • Question

  • Hi

    We use a enterprise network node HPC cluster(HPC2012R2_Update3_Full). We started noticing the HPC is calling LDAP servers using 389(non secure port) rather than using 636 secure port using the root certificate in the windows box. HPC executes jobs using a service account (AD account) .

    Is there a way to secure this? Does HPC(this version) have a provision to provide certificate for this?

    our preliminary research showed the DHCP server PID is using this. 

    Any guidance is greatly appreciated.


    • Edited by sattigadu Thursday, March 14, 2019 4:46 PM
    Thursday, March 14, 2019 4:42 PM

All replies

  • Hi Sattigadu,

      Do you know which process is calling LDAP server using 389? By simply searching the source code, I could find place that make call to this.

      And HPC Pack won't have dependency on DHCP only if you enabled private network. If you don't need the headnode to serve DHCP, you shall disable that service.


    Qiufang Shi

    Friday, March 15, 2019 3:26 AM
  • Thanks for the response. We run in enterprise mode. I think we can disable DHCP mode as we dont use it. After more tracing we realized its only happening in our compute nodes. By default all windows uses LDAP 389 for its operations (AD Domain Services (authentication, GPO, replication, trust).)and it directly talks to the domain controller. We are noticing calls going to the Load balancer of the AD team from the compute nodes which makes it tricky.

    Do you know where HPC picks the LDAP details?

    Thanks,

    Sahitya

    Sunday, March 17, 2019 9:10 PM
  • What kind of details you're requesting?

    Below are the places related to AD for compute node:

    1. HPC Pack services will do AD authentication (Logon as job's runas user, and create/start user process with the logon token).

    2. HPC pack services on compute node will securely communicate to the head node service through kerberos authentication


    Qiufang Shi

    Monday, March 18, 2019 2:18 AM