本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# AWS Managed Microsoft AD 透過 LDAP(S) 叢集組態的範例
<a name="examples-addir-v3"></a>

AWS ParallelCluster 透過輕量型目錄存取通訊協定 (LDAP) 或 LDAP over TLS/SSL (LDAPS) 與 整合 AWS Directory Service ，支援多個使用者存取。

下列範例示範如何建立叢集組態，以透過 AWS Managed Microsoft AD LDAP(S) 與 整合。

## AWS Managed Microsoft AD 透過 LDAPS 進行憑證驗證
<a name="LDAP-example-1"></a>

您可以使用此範例來整合您的叢集與 AWS Managed Microsoft AD 透過 LDAPS 的 ，以及憑證驗證。

**具有憑證組態之 AWS Managed Microsoft AD 透過 LDAPS 的 的特定定義：**
+ [`DirectoryService`](DirectoryService-v3.md) 對於具有憑證驗證的 LDAPS，/ [`LdapTlsReqCert`](DirectoryService-v3.md#yaml-DirectoryService-LdapTlsReqCert) 必須設定為 `hard`（預設）。
+ [`DirectoryService`](DirectoryService-v3.md) / [`LdapTlsCaCert`](DirectoryService-v3.md#yaml-DirectoryService-LdapTlsCaCert) 必須指定授權憑證 (CA) 憑證的路徑。

  CA 憑證是一種憑證套件，其中包含為 AD 網域控制站發行憑證的整個 CA 鏈的憑證。

  您的 CA 憑證和憑證必須安裝在叢集節點上。
+ 必須指定 / [`DirectoryService`](DirectoryService-v3.md) 的控制器主機名稱[`DomainAddr`](DirectoryService-v3.md#yaml-DirectoryService-DomainAddr)，而非 IP 地址。
+ [`DirectoryService`](DirectoryService-v3.md) / [`DomainReadOnlyUser`](DirectoryService-v3.md#yaml-DirectoryService-DomainReadOnlyUser) 語法必須如下所示：

  ```
  cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  ```

**透過 LDAPS 使用 AD 的範例叢集組態檔案：**

```
Region: region-id
Image:
  Os: alinux2
HeadNode:
  InstanceType: t2.micro
  Networking:
    SubnetId: subnet-1234567890abcdef0
  Ssh:
    KeyName: pcluster
  Iam:
    AdditionalIamPolicies:
      - Policy: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
  CustomActions:
    OnNodeConfigured:
      Script: s3://&example-s3-bucket;/scripts/pcluster-dub-msad-ldaps.post.sh
Scheduling:
  Scheduler: slurm
  SlurmQueues:
    - Name: queue1
      ComputeResources:
        - Name: t2micro
          InstanceType: t2.micro
          MinCount: 1
          MaxCount: 10
      Networking:
        SubnetIds:
          - subnet-abcdef01234567890
      Iam:
        AdditionalIamPolicies:
          - Policy: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
      CustomActions:
        OnNodeConfigured:
          Script: s3://&example-s3-bucket;/scripts/pcluster-dub-msad-ldaps.post.sh
DirectoryService:
  DomainName: dc=corp,dc=example,dc=com
  DomainAddr: ldaps://win-abcdef01234567890.corp.example.com,ldaps://win-abcdef01234567890.corp.example.com
  PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:MicrosoftAD.Admin.Password-1234
  DomainReadOnlyUser: cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  LdapTlsCaCert: /etc/openldap/cacerts/corp.example.com.bundleca.cer
  LdapTlsReqCert: hard
```

**在安裝後指令碼中新增憑證和設定網域控制站：**

```
*#!/bin/bash*
set -e

AD_CERTIFICATE_S3_URI="s3://amzn-s3-demo-bucket/bundle/corp.example.com.bundleca.cer"
AD_CERTIFICATE_LOCAL="/etc/openldap/cacerts/corp.example.com.bundleca.cer"

AD_HOSTNAME_1="win-abcdef01234567890.corp.example.com"
AD_IP_1="192.0.2.254"

AD_HOSTNAME_2="win-abcdef01234567890.corp.example.com"
AD_IP_2="203.0.113.225"

# Download CA certificate
mkdir -p $(dirname "${AD_CERTIFICATE_LOCAL}")
aws s3 cp "${AD_CERTIFICATE_S3_URI}" "${AD_CERTIFICATE_LOCAL}"
chmod 644 "${AD_CERTIFICATE_LOCAL}"

# Configure domain controllers reachability
echo "${AD_IP_1} ${AD_HOSTNAME_1}" >> /etc/hosts
echo "${AD_IP_2} ${AD_HOSTNAME_2}" >> /etc/hosts
```

**您可以從加入網域的執行個體擷取網域控制站主機名稱，如下列範例所示。**

**從 Windows 執行個體**

```
$ nslookup 192.0.2.254
```

```
Server:  corp.example.com
Address:  192.0.2.254

Name:    win-abcdef01234567890.corp.example.com
Address:  192.0.2.254
```

**從 Linux 執行個體**

```
$ nslookup 192.0.2.254
```

```
192.0.2.254.in-addr.arpa   name = corp.example.com
192.0.2.254.in-addr.arpa   name = win-abcdef01234567890.corp.example.com
```

## AWS Managed Microsoft AD 無需憑證驗證即可透過 LDAPS
<a name="LDAP-example-2"></a>

您可以使用此範例來整合叢集與 AWS Managed Microsoft AD 透過 LDAPS 的 ，無需憑證驗證。

**沒有憑證驗證組態的 AWS Managed Microsoft AD 透過 LDAPS 之 的特定定義：**
+ [`DirectoryService`](DirectoryService-v3.md) / [`LdapTlsReqCert`](DirectoryService-v3.md#yaml-DirectoryService-LdapTlsReqCert) 必須設定為 `never`。
+ 您可以為 / [`DirectoryService`](DirectoryService-v3.md) 指定控制器主機名稱或 IP 地址[`DomainAddr`](DirectoryService-v3.md#yaml-DirectoryService-DomainAddr)。
+ [`DirectoryService`](DirectoryService-v3.md) / [`DomainReadOnlyUser`](DirectoryService-v3.md#yaml-DirectoryService-DomainReadOnlyUser) 語法必須如下所示：

  ```
  cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  ```

**無需憑證驗證即可 AWS Managed Microsoft AD 透過 LDAPS 使用 的範例叢集組態檔案：**

```
Region: region-id
Image:
  Os: alinux2
HeadNode:
  InstanceType: t2.micro
  Networking:
    SubnetId: subnet-1234567890abcdef0
  Ssh:
    KeyName: pcluster
Scheduling:
  Scheduler: slurm
  SlurmQueues:
    - Name: queue1
      ComputeResources:
        - Name: t2micro
          InstanceType: t2.micro
          MinCount: 1
          MaxCount: 10
      Networking:
        SubnetIds:
          - subnet-abcdef01234567890
DirectoryService:
  DomainName: dc=corp,dc=example,dc=com
  DomainAddr: ldaps://203.0.113.225,ldaps://192.0.2.254
  PasswordSecretArn: arn:aws:secretsmanager:region-id:123456789012:secret:MicrosoftAD.Admin.Password-1234
  DomainReadOnlyUser: cn=ReadOnly,ou=Users,ou=CORP,dc=corp,dc=example,dc=com
  LdapTlsReqCert: never
```