本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# LDAP (S) 集群配置示例 AWS Managed Microsoft AD
<a name="examples-addir-v3"></a>

AWS ParallelCluster 通过与轻量级目录访问协议 (LDAP) 或 LDAP (LDAPS) 集成，支持多 TLS/SSL 用户访问。 AWS Directory Service 

以下示例显示了如何创建集群配置以便与基于 LDAP(S) 的 AWS Managed Microsoft AD 集成。

## AWS Managed Microsoft AD 通过 LDAPS 进行证书验证
<a name="LDAP-example-1"></a>

您可以使用此示例将您的集群与 ov AWS Managed Microsoft AD er LDAPS 集成，并进行证书验证。

**带有证书配置的 ov AWS Managed Microsoft AD er LDAPS 的具体定义：**
+ 对于具有证书验证功能的 LDAPS，必须将 [`DirectoryService`](DirectoryService-v3.md)/[`LdapTlsReqCert`](DirectoryService-v3.md#yaml-DirectoryService-LdapTlsReqCert) 设置为 `hard`（默认值）。
+ [`DirectoryService`](DirectoryService-v3.md)/[`LdapTlsCaCert`](DirectoryService-v3.md#yaml-DirectoryService-LdapTlsCaCert) 必须指定您的证书颁发机构 (CA) 证书的路径。

  CA 证书是一个证书捆绑包，其中包含为 AD 域控制器颁发证书的整个 CA 链的证书。

  您的 CA 证书必须安装在集群节点上。
+ 必须为 [`DirectoryService`](DirectoryService-v3.md)/[`DomainAddr`](DirectoryService-v3.md#yaml-DirectoryService-DomainAddr) 指定控制器主机名，而不是 IP 地址。
+ [`DirectoryService`](DirectoryService-v3.md)/[`DomainReadOnlyUser`](DirectoryService-v3.md#yaml-DirectoryService-DomainReadOnlyUser) 语法必须如下所示：

  ```
  cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  ```

**使用基于 LDAPS 的 AD 时的集群配置文件示例：**

```
Region: region-id
Image:
  Os: alinux2
HeadNode:
  InstanceType: t2.micro
  Networking:
    SubnetId: subnet-1234567890abcdef0
  Ssh:
    KeyName: pcluster
  Iam:
    AdditionalIamPolicies:
      - Policy: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
  CustomActions:
    OnNodeConfigured:
      Script: s3://&example-s3-bucket;/scripts/pcluster-dub-msad-ldaps.post.sh
Scheduling:
  Scheduler: slurm
  SlurmQueues:
    - Name: queue1
      ComputeResources:
        - Name: t2micro
          InstanceType: t2.micro
          MinCount: 1
          MaxCount: 10
      Networking:
        SubnetIds:
          - subnet-abcdef01234567890
      Iam:
        AdditionalIamPolicies:
          - Policy: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
      CustomActions:
        OnNodeConfigured:
          Script: s3://&example-s3-bucket;/scripts/pcluster-dub-msad-ldaps.post.sh
DirectoryService:
  DomainName: dc=corp,dc=example,dc=com
  DomainAddr: ldaps://win-abcdef01234567890.corp.example.com,ldaps://win-abcdef01234567890.corp.example.com
  PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:MicrosoftAD.Admin.Password-1234
  DomainReadOnlyUser: cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  LdapTlsCaCert: /etc/openldap/cacerts/corp.example.com.bundleca.cer
  LdapTlsReqCert: hard
```

**在安装后脚本中添加证书并配置域控制器：**

```
*#!/bin/bash*
set -e

AD_CERTIFICATE_S3_URI="s3://amzn-s3-demo-bucket/bundle/corp.example.com.bundleca.cer"
AD_CERTIFICATE_LOCAL="/etc/openldap/cacerts/corp.example.com.bundleca.cer"

AD_HOSTNAME_1="win-abcdef01234567890.corp.example.com"
AD_IP_1="192.0.2.254"

AD_HOSTNAME_2="win-abcdef01234567890.corp.example.com"
AD_IP_2="203.0.113.225"

# Download CA certificate
mkdir -p $(dirname "${AD_CERTIFICATE_LOCAL}")
aws s3 cp "${AD_CERTIFICATE_S3_URI}" "${AD_CERTIFICATE_LOCAL}"
chmod 644 "${AD_CERTIFICATE_LOCAL}"

# Configure domain controllers reachability
echo "${AD_IP_1} ${AD_HOSTNAME_1}" >> /etc/hosts
echo "${AD_IP_2} ${AD_HOSTNAME_2}" >> /etc/hosts
```

**您可以从加入域的实例中检索域控制器主机名，如以下示例所示。**

**来自 Windows 实例**

```
$ nslookup 192.0.2.254
```

```
Server:  corp.example.com
Address:  192.0.2.254

Name:    win-abcdef01234567890.corp.example.com
Address:  192.0.2.254
```

**来自 Linux 实例**

```
$ nslookup 192.0.2.254
```

```
192.0.2.254.in-addr.arpa   name = corp.example.com
192.0.2.254.in-addr.arpa   name = win-abcdef01234567890.corp.example.com
```

## AWS Managed Microsoft AD 在没有证书验证的情况下通过 LDAPS
<a name="LDAP-example-2"></a>

您可以使用此示例将您的集群与 ov AWS Managed Microsoft AD er LDAPS 集成，无需证书验证。

**没有证书验证配置的 ov AWS Managed Microsoft AD er LDAPS 的具体定义：**
+ 必须将 [`DirectoryService`](DirectoryService-v3.md)/[`LdapTlsReqCert`](DirectoryService-v3.md#yaml-DirectoryService-LdapTlsReqCert) 设置为 `never`。
+ 可以为 [`DirectoryService`](DirectoryService-v3.md)/[`DomainAddr`](DirectoryService-v3.md#yaml-DirectoryService-DomainAddr) 指定控制器主机名或 IP 地址。
+ [`DirectoryService`](DirectoryService-v3.md)/[`DomainReadOnlyUser`](DirectoryService-v3.md#yaml-DirectoryService-DomainReadOnlyUser) 语法必须如下所示：

  ```
  cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  ```

**无需证书验证即可 AWS Managed Microsoft AD 通过 LDAPS 使用的集群配置文件示例：**

```
Region: region-id
Image:
  Os: alinux2
HeadNode:
  InstanceType: t2.micro
  Networking:
    SubnetId: subnet-1234567890abcdef0
  Ssh:
    KeyName: pcluster
Scheduling:
  Scheduler: slurm
  SlurmQueues:
    - Name: queue1
      ComputeResources:
        - Name: t2micro
          InstanceType: t2.micro
          MinCount: 1
          MaxCount: 10
      Networking:
        SubnetIds:
          - subnet-abcdef01234567890
DirectoryService:
  DomainName: dc=corp,dc=example,dc=com
  DomainAddr: ldaps://203.0.113.225,ldaps://192.0.2.254
  PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:MicrosoftAD.Admin.Password-1234
  DomainReadOnlyUser: cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  LdapTlsReqCert: never
```