[CentOS] User Management

Mon Jul 6 16:42:43 UTC 2009
nate <centos at linuxpowered.net>

Justin Lim wrote:
> I am just wondering how other people are doing their user management for
> multiple servers that not in any type of directory.
> Do anyone use any application that query each server for users or keep a
> database of users that's on each server?
> I would like to get feedback on what others use...

For my ~400 systems I use a custom script setup that I wrote and tie
it into cfengine. Basically it generates dynamic passwd/shadow/group
files for several different 'classes' of systems. Very few accounts
have passwords, 99%+ of logins are done via ssh key based authentication
which is managed by another script which dynamically creates ssh
authorized_keys files for at least the shared accounts. Key files for
both shared accounts and user accounts are managed by cfengine and
populated by me. Key files and passwd/shadow/group files are inspected
hourly and replaced if they were somehow changed from the master.

The person who was in my role before me tried to setup LDAP and it
didn't work out too well. I learned at a while back that in this
type of environment anyways LDAP is just another layer, and remains
complicated even today(I've been managing LDAP systems off and on
for about 8 years now).

The system I use today I wrote a couple of years ago and has proven
to be very robust and reliable since each & every server has everything
it needs to authenticate users. Both scripts show me detailed information
of the changes I make before they are committed, and make automatic
backups for easy rollback.

Home directories on some internal servers are centrally hosed by
an NFS cluster, though most home directories are just skeletons that
are not shared/replicated in any way. CFengine automatically creates
home directories that do not exist by means of another script a
co-worker of mine wrote a few years ago.

There's very few services other than ssh that we need authentication
for, those typically have their own user databases.