On 2010 Mar 29, at 16:06, Hugh Brown wrote: [snip]
> So...what do you think? *Is* this reasonable? Is it stupid, or is > this one of those "It depends" questions? Is it just a question of > tweaking caching/failover settings? What do you do, and how big is > the environment where you do it? At $work, we use a combination of local accounts managed by a central admin tool, and multiple authentication modes (SSH key, central authentication server for SecurID, home grown authentication mechanism, etc.) Any single method can fail and there still is a clear path to support the server. I'm a fan of central management, but I've come to like files over LDAP for some of the reasons you've described. We use a home grown utility to handle all the complex issues of creating and removing accounts. Even a transient network failure, IMO should not interfere with something like a large oracle database that isn't relying on the network at that instant to do internal work. It might interfere with a new SQL transaction coming in, but that data which has arrived can be fully processed because the authoritative source of valid users are explicitly local files. Once you set that up, the challenge becomes to somehow translate your central authority (say an ldap database) into the account configurations on a regular basis (such as once a day, when updates occur, or something else). This tries to give you the best of both worlds. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
