Um, why? There are more regularized methods of RBAC than touching /etc/passwd. For my part I'd rather keep hosts as similar as possible and have authentication controlled elsewhere. That way I have complex manifests about user authentication on a subset of hosts, and simplified auth client manifests everywhere else.
On Wed, Jul 16, 2014 at 10:24:26AM -0400, Betsy Schwartz wrote: > Thank you! pam access may well be the right direction to go for us. > > I'm still sort of boggled that nobody seems to be using puppet for > /etc/passwd. That always seemed to us to be the *first* thing we'd want to > get under centralized control. > > I understand that centralized control reduces the need for direct logins, > but I'd think people would still need dba's on db machines and devs on dev > machines and such > > On Mon, Jul 14, 2014 at 2:52 AM, Stefan Dietrich > <[1][email protected]> wrote: > > On So, 2014-07-13 at 16:01 -0400, Betsy Schwartz wrote: > > We're running primarily RHEL6, and Puppet Enterprise 3.2 > > > > In our non-puppetized world, we make heavy use of netgroups (stored in > > ldap, entered in /etc/passwd) to control access to servers. > > Would pam_access work for your use case? > Instead of adding the netgroups to passwd, you configure this > in /etc/security/access.conf. > There are also some modules on Puppet Forge, which allow management of > this file. > > Btw. Augeas can not parse /etc/passwd, if you add the +@netgroup lines. > > Regards, > Stefan > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [2][email protected]. > To view this discussion on the web visit > > [3]https://groups.google.com/d/msgid/puppet-users/1405320731.4976.8.camel%40clarkdale.desy.de. > For more options, visit [4]https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [5][email protected]. > To view this discussion on the web visit > > [6]https://groups.google.com/d/msgid/puppet-users/CAAVLHR2zcB1yAGUT6NK6N6xJv8e_TfwHrB78V7hfCF1TOatEXw%40mail.gmail.com. > For more options, visit [7]https://groups.google.com/d/optout. > > References > > Visible links > 1. mailto:[email protected] > 2. mailto:puppet-users%[email protected] > 3. > https://groups.google.com/d/msgid/puppet-users/1405320731.4976.8.camel%40clarkdale.desy.de > 4. https://groups.google.com/d/optout > 5. mailto:[email protected] > 6. > https://groups.google.com/d/msgid/puppet-users/CAAVLHR2zcB1yAGUT6NK6N6xJv8e_TfwHrB78V7hfCF1TOatEXw%40mail.gmail.com?utm_medium=email&utm_source=footer > 7. https://groups.google.com/d/optout -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140716145736.GA15174%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
