Configure LDAP for CGE

Information about setting up LDAP for CGE

To set up an LDAP based Apache® Shiro template configuration file, issue the following command on the login node of the system where it is intended to run CGE:

$ cge-cli generate shiro ldap > $HOME/.cge/shiro.ini

This command will create a template configuration that you can edit to work with your specific site LDAP server. If running CGE on a Urika-GX system, Cray recommends to have a centrally configured LDAP server for the Urika-GX cluster running on the login node in order to use that LDAP server as a forwarding agent to the site's enterprise LDAP. To use this approach for configuring LDAP for CGE, change the following line in the configuration to include the name of the login node instead of host-login1:

ldapRealm.contextFactory.url = ldap://host-login1:389

For example:

ldapRealm.contextFactory.url = ldap://machine-login1:389

In the preceding example, machine is used as an example for the name of the machine. This tells Apache Shiro where to look for the Urika-GX LDAP server, which resides on your Urika-GX login1 node as Urika-GX is shipped.

The configuration that results here will be Forms-based. To use an HTTP basic configuration with LDAP, change the following line:

/** = authc

to:

/** = authcBasic

This will make the default requirement for accessing Web-UI pages be HTTP basic authentication (authcBasic) instead of Forms authentication (authc).

CGE web UI can be directly integrated with the site's LDAP server, in which case, the configuration will need to match what the site's LDAP expects. To enable this, edit the part of the template that looks like:

# Define a LDAP realm
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
 
# Configure the template for User lookups
# You will need to ask a system administrator what the format should be here
# The following is the default on Urika-GX systems as shipped but your system
# may be differently configured
ldapRealm.userDnTemplate = uid={0},ou=People,ou=external,dc=local
 
# Configure to point to LDAP server of choice
# The LDAP server resides on the login1 node on Urika-GX systems as shipped
# 389 is the normal default port for LDAP servers
ldapRealm.contextFactory.url = ldap://host-login1:389
 
# Only uncomment and change this if your server needs a specific auth mechanism.
# By default the client should negotiate this automatically with the server
#ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
 
# If your LDAP server needs credentials to access it set them here
# In most cases this should be unnecessary
#ldapRealm.contextFactory.systemUsername = ldap-admin
#ldapRealm.contextFactory.systemPassword = ldap-admin-password