Configuration to modify external authentication

You can modify external authentication behavior by writing your own eauth executable. There are also configuration parameters that modify various aspects of external authentication behavior by:
  • Increasing security through the use of an external encryption key (recommended)

  • Specifying a trusted user account under which the eauth executable runs (UNIX and Linux only)

You can also choose Kerberos authentication to provide a secure data exchange during LSF user and daemon authentication and to forward credentials to a remote host for use during job execution.

Configuration to modify security


File

Parameter and syntax

Descriptions

lsf.sudoers

LSF_EAUTH_KEY=key

  • The eauth executable uses the external encryption key that you define to encrypt and decrypt the credentials.

  • The key must contain at least six characters and must use only printable characters.

  • For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. You must also configure eauth as setuid to root so that eauth can read the lsf.sudoers file and obtain the value of LSF_EAUTH_KEY.

  • For Windows, you must edit the shared lsf.sudoers file.


Configuration to specify the eauth user account

On UNIX hosts, the eauth executable runs under the account of the primary LSF administrator. You can modify this behavior by specifying a different trusted user account. For Windows hosts, you do not need to modify the default behavior because eauth runs under the service account, which is always a trusted, secure account.

File

Parameter and syntax

Description

lsf.sudoers

LSF_EAUTH_USER=user_name

  • UNIX only

  • The eauth executable runs under the account of the specified user rather than the account of the LSF primary administrator

  • You must edit the lsf.sudoers file on all hosts within the cluster and specify the same user name


Configuration to enable Kerberos authentication

To install and configure Kerberos authentication, refer to the information included with your Kerberos integration package provided by Platform Computing Inc..
Restriction:
Kerberos authentication is supported only for UNIX and Linux hosts, and only on the following operating systems:
  • AIX 4

  • Alpha 4.x

  • IRIX 6.5

  • Linux 2.x

  • Solaris 2.x


Configuration file

Parameter and syntax

Behavior

lsf.conf

LSF_AUTH=eauth

  • Enables external authentication

LSF_AUTH_DAEMONS=y | Y

  • Enables daemon authentication when external authentication is enabled

LSF_DAEMON_WRAP=y | Y

  • Required for Kerberos authentication

  • mbatchd, sbatchd, and RES run the executable LSF_SERVERDIR/daemons.wrap

lsf.sudoers

LSF_EAUTH_USER=root

  • for Kerberos authentication, the eauth executable must run under the root account

  • You must edit the lsf.sudoers file on all hosts within the cluster and specify the same user name

LSF_LOAD_PLUGINS=y | Y

  • Required for Kerberos authentication when plug-ins are used instead of the daemon wrapper script

  • LSF loads plug-ins from the directory LSB_LIBDIR

LSF_EEXEC_USER=root

  • Required for Kerberos authentication. The parameter LSF_DAEMON_WRAP must also be set to y or Y.

  • The eexec executable provided with the Kerberos integration runs under the root account