Hello all,
At my current job the time has come to unify our LDAP infrastructure into one tree (preferably). The basics are working but we are not sure how to restrict which users can log into which machines.
What we would like is for everyone in the (for example) "infra" group to log into all machines while people in the "development" group can only log into development servers. From an initial Google my options seem to be:
* LDAP based netgroups * OpenSSH - AllowGroups, DenyGroups * PAM - mod_access
Does anyone have any real world, in the trenches experience they would be willing to share? I would like to know which is the most maintainable and easy to hand-over to more junior admins.
Thanks,
Fred.
Friedrich Clausen wrote:
Does anyone have any real world, in the trenches experience they would be willing to share? I would like to know which is the most maintainable and easy to hand-over to more junior admins.
The way we did this was, we have an access.conf file that is automatically copied to every machine via a cron job. To give a netgroup access, you just make the change to the file in subversion, and it's automatically propagated a few minutes later.
It's kind of hacky, but it does work.
--Russell
Hi,
On Tue, Dec 2, 2008 at 4:00 PM, Russell Miller duskglow@gmail.com wrote:
Friedrich Clausen wrote:
Does anyone have any real world, in the trenches experience they would be willing to share? I would like to know which is the most maintainable and easy to hand-over to more junior admins.
The way we did this was, we have an access.conf file that is automatically copied to every machine via a cron job. To give a netgroup access, you just make the change to the file in subversion, and it's automatically propagated a few minutes later.
Thanks for the info. I plan to distribute those types of configuration files through Puppet - that is if Puppet proves usable in our environment but it looks great so far.
Cheers,
Fred.
-
Friedrich Clausen -
Russell Miller