Yes, it does sound daunting.
I would recommend the following, set up LDAP or establish an ideal
master passwd file first. I would recommend LDAP.
Give each user an account, 1person=1 account. for root access use sudo.
that's just good practice.
You will need to have both implementations overlap for a while. I would
recommend that you do it one server at a time or automate it.
At the worst, all new servers should use the new system and use the
equipment replacement cycle to your advantage. Break is into reasonable
chunks. It sounds like you have a lot of diverse systems. Group similar
machines together and tackle them one at a time. going forward,
establish common configs for each group or servers.
It will take time, but be patient and work towards the ideal. Make sure
that all new work is towards the ideal .Cfengine is all about
convergence, the idea that small changes towards the ideal are the best
practice. Start changing your servers one at a time.
> I work for a company with a large deployment of cfengine managed
> servers, 1000 or more systems in total. The problem is that the way
> things were initially put together has turned into a huge mess in terms
> of user account management. There's maybe 50-100 separate passwd and
> shadow files for the entire production environment...all in cfengine.
> Adding and removing accounts is a clumsy operation of running different
> scripts on various cfengine master servers. As a result, it takes
> forever to add or modify individual accounts and there also isn't
> enough control over who has accounts on which systems.
> I guess I'm looking for suggestions on how to deal with the mess. It
> seems like the obvious solution is migrating to LDAP or some kind of
> equivalent. That seems daunting because I don't know how I would ever
> manage a seamless transition on such a complex production network where
> extended downtime is unacceptable. Perhaps after consolidating all of
> the cfengine passwd files, I could enter everything into an LDAP server
> and then export from LDAP to a few distinct passwd files (based on
> security requirements) and then push those out with cfengine. You can
> probably tell I'm grasping at straws here.
> I'm also wondering about the idea of having just a few accounts on the
> individual systems such as dba, admin, etc. but I don't know how I
> would be able to tell who had performed what actions with such a setup
> (not that I really can now but at least I can see who logged in and
> when a particular user sudo'd to a privileged account).
> Any suggestions are greatly appreciated.
> Help-cfengine mailing list
Help-cfengine mailing list