Justin Lim wrote: > I am just wondering how other people are doing their user management for > multiple servers that not in any type of directory. > > Do anyone use any application that query each server for users or keep a > database of users that's on each server? > > I would like to get feedback on what others use... For my ~400 systems I use a custom script setup that I wrote and tie it into cfengine. Basically it generates dynamic passwd/shadow/group files for several different 'classes' of systems. Very few accounts have passwords, 99%+ of logins are done via ssh key based authentication which is managed by another script which dynamically creates ssh authorized_keys files for at least the shared accounts. Key files for both shared accounts and user accounts are managed by cfengine and populated by me. Key files and passwd/shadow/group files are inspected hourly and replaced if they were somehow changed from the master. The person who was in my role before me tried to setup LDAP and it didn't work out too well. I learned at a while back that in this type of environment anyways LDAP is just another layer, and remains complicated even today(I've been managing LDAP systems off and on for about 8 years now). The system I use today I wrote a couple of years ago and has proven to be very robust and reliable since each & every server has everything it needs to authenticate users. Both scripts show me detailed information of the changes I make before they are committed, and make automatic backups for easy rollback. Home directories on some internal servers are centrally hosed by an NFS cluster, though most home directories are just skeletons that are not shared/replicated in any way. CFengine automatically creates home directories that do not exist by means of another script a co-worker of mine wrote a few years ago. There's very few services other than ssh that we need authentication for, those typically have their own user databases. nate