|
|
You can write a PAM module that does these kind of authorization, by
grouping your servers e.g. serverA, serverB and serverC only allows
users having memberOf oracleDBA. It works here in the company I work
for, and can suit yours too. I think this approach is nice because you
can centralize all administration to one write server, and then
replicate to your slave servers.
Just one more idea :)
You will need to consider what users gain access to what servers. You
create profiles for your different server types which contain the search
query that locates a user. Normally it is simple such as 'uid=%user'
where %user is the name supplied by the login process. Since you may not
want all users to log into all servers you might have the filter for
oracle servers set like '&((uid=%user)(memberOf=oracleDBA))'. A user
record may look like:
dn: uid=robertc,ou=people,dc=example,dc=com
objectclass: person (+ other objectclasses)
uid: robertc
memberOf: oracleDBA
memberOf: lotusnotesDBA
...
--
Igor Sutton Lopes
_______________________________________________
Help-cfengine mailing list
Help-cfengine@xxxxxxxxxxxx
http://cfengine.org/mailman/listinfo/help-cfengine
|
|