Re: help with cfengine for account management in very large environments

Igor Sutton Tue, 06 Jun 2006 06:49:06 -0700

You can write a PAM module that does these kind of authorization, by grouping your servers e.g. serverA, serverB and serverC only allows users having memberOf oracleDBA. It works here in the company I work for, and can suit yours too. I think this approach is nice because you can centralize all administration to one write server, and then replicate to your slave servers.

Just one more idea :)

You will need to consider what users gain access to what servers. You
create profiles for your different server types which contain the search
query that locates a user. Normally it is simple such as 'uid=%user'
where %user is the name supplied by the login process. Since you may not
want all users to log into all servers you might have the filter for
oracle servers set like '&((uid=%user)(memberOf=oracleDBA))'. A user
record may look like:

dn: uid=robertc,ou=people,dc=example,dc=com
objectclass: person (+ other objectclasses)
uid: robertc
memberOf: oracleDBA
memberOf: lotusnotesDBA
...

--
Igor Sutton Lopes

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
http://cfengine.org/mailman/listinfo/help-cfengine

Re: help with cfengine for account management in very large environments

Reply via email to