I work for a company with a large deployment of cfengine managed servers, 1000 or more systems in total. The problem is that the way things were initially put together has turned into a huge mess in terms of user account management. There's maybe 50-100 separate passwd and shadow files for the entire production environment...all in cfengine. Adding and removing accounts is a clumsy operation of running different scripts on various cfengine master servers. As a result, it takes forever to add or modify individual accounts and there also isn't enough control over who has accounts on which systems.
I guess I'm looking for suggestions on how to deal with the mess. It seems like the obvious solution is migrating to LDAP or some kind of equivalent. That seems daunting because I don't know how I would ever manage a seamless transition on such a complex production network where extended downtime is unacceptable. Perhaps after consolidating all of the cfengine passwd files, I could enter everything into an LDAP server and then export from LDAP to a few distinct passwd files (based on security requirements) and then push those out with cfengine. You can probably tell I'm grasping at straws here. I'm also wondering about the idea of having just a few accounts on the individual systems such as dba, admin, etc. but I don't know how I would be able to tell who had performed what actions with such a setup (not that I really can now but at least I can see who logged in and when a particular user sudo'd to a privileged account). Any suggestions are greatly appreciated. Thanks, -Aaron _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org http://cfengine.org/mailman/listinfo/help-cfengine
