X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e48478841828b1dbab8b69eb9453db23b42ed63f..73c880171652a0fd41e38b47de02fc79e4ae05d2:/doc/install/setup-login.html.textile.liquid diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid index 572a83f706..d11fec9e10 100644 --- a/doc/install/setup-login.html.textile.liquid +++ b/doc/install/setup-login.html.textile.liquid @@ -56,6 +56,8 @@ With this configuration, users will sign in with a third-party OpenID Connect pr ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz" +Check the OpenIDConnect section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options. + h2(#ldap). LDAP With this configuration, authentication uses an external LDAP service like OpenLDAP or Active Directory. @@ -96,7 +98,7 @@ Enable PAM authentication in @config.yml@: Check the "default config file":{{site.baseurl}}/admin/config.html for more PAM configuration options. -The default PAM configuration on most Linux systems uses the local password database in @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a shell account and password on the controller host itself. This can be convenient for a single-user or test cluster. +The default PAM configuration on most Linux systems uses the local password database in @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a UNIX account and password on the controller host itself. This can be convenient for a single-user or test cluster. User accounts can have @/dev/false@ as the shell in order to allow the user to log into Arvados but not log into a shell on the controller host. PAM can also be configured to use different backends like LDAP. In a production environment, PAM configuration should use the service name ("arvados" by default) to set a separate policy for Arvados logins: generally, Arvados users should not have shell accounts on the controller node.