help-cfengine@cfengine.org
[Top] [All Lists]

Re: help with cfengine for account management in very large environments

Subject: Re: help with cfengine for account management in very large environments
From: Jason Edgecombe
Date: Tue, 06 Jun 2006 09:24:53 -0400
hi there,

Yes, it does sound daunting.

I would recommend the following, set up LDAP or establish an ideal 
master passwd file first. I would recommend LDAP.

Give each user an account, 1person=1 account. for root access use sudo. 
that's just good practice.

You will need to have both implementations overlap for a while. I would 
recommend that you do it one server at a time or automate it.

At the worst, all new servers should use the new system and use the 
equipment replacement cycle to your advantage. Break is into reasonable 
chunks. It sounds like you have a lot of diverse systems. Group similar 
machines together and tackle them one at a time.  going forward, 
establish common configs for each group or servers.

It will take time, but be patient and work towards the ideal. Make sure 
that all new work is towards the ideal .Cfengine is all about 
convergence, the idea that small changes towards the ideal are the best 
practice. Start changing your servers one at a time.



Sincerely,
Jason

Aaron wrote:
> I work for a company with a large deployment of cfengine managed
> servers, 1000 or more systems in total. The problem is that the way
> things were initially put together has turned into a huge mess in terms
> of user account management. There's maybe 50-100 separate passwd and
> shadow files for the entire production environment...all in cfengine.
> Adding and removing accounts is a clumsy operation of running different
> scripts on various cfengine master servers. As a result, it takes
> forever to add or modify individual accounts and there also isn't
> enough control over who has accounts on which systems.
>
> I guess I'm looking for suggestions on how to deal with the mess. It
> seems like the obvious solution is migrating to LDAP or some kind of
> equivalent. That seems daunting because I don't know how I would ever
> manage a seamless transition on such a complex production network where
> extended downtime is unacceptable. Perhaps after consolidating all of
> the cfengine passwd files, I could enter everything into an LDAP server
> and then export from LDAP to a few distinct passwd files (based on
> security requirements) and then push those out with cfengine. You can
> probably tell I'm grasping at straws here.
>
> I'm also wondering about the idea of having just a few accounts on the
> individual systems such as dba, admin, etc. but I don't know how I
> would be able to tell who had performed what actions with such a setup
> (not that I really can now but at least I can see who logged in and
> when a particular user sudo'd to a privileged account).
>
> Any suggestions are greatly appreciated.
>
> Thanks,
> -Aaron
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@xxxxxxxxxxxx
> http://cfengine.org/mailman/listinfo/help-cfengine
>
>
>   


_______________________________________________
Help-cfengine mailing list
Help-cfengine@xxxxxxxxxxxx
http://cfengine.org/mailman/listinfo/help-cfengine

<Prev in Thread] Current Thread [Next in Thread>