On Fri, Nov 28, 2008 at 05:35:31PM +0000, Imran Chaudhry wrote: > Hi All, > > I have a web application thats protected by Basic Auth and a password > file (eg. what is typically done with .htaccess and a list of valid > users). > > I have IP failover over 2 hosts, active and passive, with Heartbeat 2 + > crm_mon working fine. The passive server hosts a live working version of > the application also protected by Basic Auth but with an "admin only" > version of the password file. [0] > > What I'd like to do is have a way of keeping the full password file [1] > on the passive and rename this to be the real file on IP failover. Can I > do this with heartbeat? > > Cheers! > > [0] The reason for this is to stop someone getting to the passive host > and making changes. > [1] I realize another problem is keeping the password lists on both > hosts in sync as new accounts are being created all the time and > passwords get changed. This is another problem but I'm happy for > suggestions on that too. And yes I know that DRBD kills a lot of things > with one stone but it's sadly not an option here :-(.
have non-system accounts not in /etc/passwd? see nss pam ldap, pam mysql... if you have to us the /etc/passwd for some reason, have a look at csync2. to forbid non-admin logins on the non-active node(s), you can either have only system accounts in /etc/passwd, and have other accounts not available -- users then simply do not exist on a passive box. or have user accounts available all right, but do your own pam restrictions that deny access on passive nodes. -- : Lars Ellenberg : LINBIT | Your Way to High Availability : DRBD/HA support and consulting http://www.linbit.com DRBD® and LINBIT® are registered trademarks of LINBIT, Austria. _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
