help-cfengine@cfengine.org
[Top] [All Lists]

Re: help with cfengine for account management in very large environments

Subject: Re: help with cfengine for account management in very large environments
From: "Igor Sutton"
Date: Tue, 6 Jun 2006 10:45:08 -0300
You can write a PAM module that does these kind of authorization, by grouping your servers e.g. serverA, serverB and serverC only allows users having memberOf oracleDBA. It works here in the company I work for, and can suit yours too. I think this approach is nice because you can centralize all administration to one write server, and then replicate to your slave servers.

Just one more idea :)

You will need to consider what users gain access to what servers. You
create profiles for your different server types which contain the search
query that locates a user. Normally it is simple such as 'uid=%user'
where %user is the name supplied by the login process. Since you may not
want all users to log into all servers you might have the filter for
oracle servers set like '&((uid=%user)(memberOf=oracleDBA))'. A user
record may look like:

dn: uid=robertc,ou=people,dc=example,dc=com
objectclass: person (+ other objectclasses)
uid: robertc
memberOf: oracleDBA
memberOf: lotusnotesDBA
...

--
Igor Sutton Lopes
_______________________________________________
Help-cfengine mailing list
Help-cfengine@xxxxxxxxxxxx
http://cfengine.org/mailman/listinfo/help-cfengine
<Prev in Thread] Current Thread [Next in Thread>