AWS parallelcluster medium security documentation change
Summary
Added documentation requiring LDAP TLS CA certificates to be accessible to all cluster nodes for proper user resolution.
Security assessment
Explicitly states that inaccessible certificates break user resolution, preventing authentication. This addresses a security misconfiguration risk where nodes might fail to authenticate users if certificates are unavailable, potentially causing unauthorized access or system failure.
Diff
diff --git a/parallelcluster/latest/ug/tutorials_05_multi-user-ad-step3.md b/parallelcluster/latest/ug/tutorials_05_multi-user-ad-step3.md index aff43d3b5..6a37de905 100644 --- a//parallelcluster/latest/ug/tutorials_05_multi-user-ad-step3.md +++ b//parallelcluster/latest/ug/tutorials_05_multi-user-ad-step3.md @@ -41,0 +42,11 @@ For better security posture, we suggest to use the `HeadNode` / `Ssh` / `Allowed +Notice that the certificate specified in `LdapTlsCaCert` must be accessible to all cluster nodes. + +###### Hard Requirements + + * The certificate specified in `LdapTlsCaCert` must be accessible to all cluster nodes. + +A node without access to the certificate will not be able to resolve users from the directory. + + + +