On Apr 5, 2010, at 1:28 PM, Yves Dorfsman wrote: > Aleksey Tsalolikhin wrote: >> On Sun, Apr 4, 2010 at 10:26 AM, Leon Towns-von Stauber >> <[email protected]> wrote: >>> ... we aborted a project to extend LDAP to our production systems, >>> going with local files distributed via cfengine (200-300 hosts) ... >>> You have to do some minor contortions to manage >>> passwords and to have different lists of accounts on different systems, >>> but otherwise it's a lot simpler than LDAP and has been more reliable so >>> far. >> >> Hi, Leon. I'd like to hear more about your cfengine solution, please. >> Are you distributing /etc/passwd, /etc/shadow and /etc/group, or have you >> configured PAM to use some kind of supplementary passwd, shadow and group >> files which are subject to distribution by cfengine? > > Also, if you use cfengine to push shadow, how do you deal with password > changes?
We distribute the actual passwd, shadow, and group files. We had some trepidation about it at first, but now we're over it. ;) A script copies the files from /etc on our cfengine server to the location where the cfengine clients copy them from. This means you can manage accounts and change passwords on the cfengine server normally and have the changes distributed to all the other systems. Also, very importantly, it ensures that there are no syntax problems with the files before they're copied out by cfengine, because they're live files on the cfengine server. As I mentioned, there are some wrinkles. For example, a few servers (like an FTP server) have extra accounts, so there are addenda to the passwd, shadow, and group files that get stuck on by a script to form special-purpose files. Changing a password on those is kind of a pain: you have it change it locally or generate one with a tool, then copy it into the appended shadow file. But overall it's pretty simple to understand and manage. -------------------------------------------------------------------- Leon Towns-von Stauber http://www.occam.com/leonvs/ "We have not come to save you, but you will not die in vain!" _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
