With this configuration, users will sign in with a third-party OpenID Connect provider. The provider will supply appropriate values for the issuer URL, client ID, and client secret config entries.
h2(#oidc). OpenID Connect
With this configuration, users will sign in with a third-party OpenID Connect provider. The provider will supply appropriate values for the issuer URL, client ID, and client secret config entries.
-<pre>
+{% codeblock as yaml %}
Login:
OpenIDConnect:
Enable: true
Issuer: https://accounts.example.com/
ClientID: "0123456789abcdef"
ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
Login:
OpenIDConnect:
Enable: true
Issuer: https://accounts.example.com/
ClientID: "0123456789abcdef"
ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
-</pre>
+{% endcodeblock %}
Check the OpenIDConnect section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
Check the OpenIDConnect section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
@@ -64,7+64,7 @@ With this configuration, authentication uses an external LDAP service like OpenL
Enable LDAP authentication and provide your LDAP server's host, port, and credentials (if needed to search the directory) in @config.yml@:
Enable LDAP authentication and provide your LDAP server's host, port, and credentials (if needed to search the directory) in @config.yml@:
-<pre>
+{% codeblock as yaml %}
Login:
LDAP:
Enable: true
Login:
LDAP:
Enable: true
@@ -72,7+72,7 @@ Enable LDAP authentication and provide your LDAP server's host, port, and creden
SearchBindUser: cn=lookupuser,dc=example,dc=com
SearchBindPassword: xxxxxxxx
SearchBase: ou=Users,dc=example,dc=com
SearchBindUser: cn=lookupuser,dc=example,dc=com
SearchBindPassword: xxxxxxxx
SearchBase: ou=Users,dc=example,dc=com
-</pre>
+{% endcodeblock %}
The email address reported by LDAP will be used as primary key for Arvados accounts. This means *users must not be able to edit their own email addresses* in the directory.
The email address reported by LDAP will be used as primary key for Arvados accounts. This means *users must not be able to edit their own email addresses* in the directory.
@@ -84,22+84,22 @@ Additional configuration settings are available:
Check the LDAP section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
Check the LDAP section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
-h2(#pam). PAM (experimental)
+h2(#pam). PAM
With this configuration, authentication is done according to the Linux PAM ("Pluggable Authentication Modules") configuration on your controller host.
Enable PAM authentication in @config.yml@:
With this configuration, authentication is done according to the Linux PAM ("Pluggable Authentication Modules") configuration on your controller host.
Enable PAM authentication in @config.yml@:
-<pre>
+{% codeblock as yaml %}
Login:
PAM:
Enable: true
Login:
PAM:
Enable: true
-</pre>
+{% endcodeblock %}
Check the "default config file":{{site.baseurl}}/admin/config.html for more PAM configuration options.
Check the "default config file":{{site.baseurl}}/admin/config.html for more PAM configuration options.
-The default PAM configuration on most Linux systems uses the local password database in @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a UNIX account and password on the controller host itself. This can be convenient for a single-user or test cluster. User accounts can have @/dev/false@ as the shell in order to allow the user to log into Arvados but not log into a shell on the controller host.
+The default PAM configuration on most Linux systems uses the local user/password database in @/etc/passwd@ and @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a UNIX account and password on the controller host itself. This can be convenient for a single-user or test cluster. Configuring a user account with a shell of @/bin/false@ will enable the user to log into Arvados but not log into shell login on the controller host.
-PAM can also be configured to use different backends like LDAP. In a production environment, PAM configuration should use the service name ("arvados" by default) to set a separate policy for Arvados logins: generally, Arvados users should not have shell accounts on the controller node.
+PAM can also be configured to use other authentication systems such such as NIS or Kerberos. In a production environment, PAM configuration should use the service name ("arvados" by default) and set a separate policy for Arvados login. In this case, Arvados users should not have shell accounts on the controller node.
For information about configuring PAM, refer to the "PAM System Administrator's Guide":http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html.
For information about configuring PAM, refer to the "PAM System Administrator's Guide":http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html.