[CentOS] managing logins for different classes of servers

Thu Jun 4 18:29:25 UTC 2015
Matt Garman <matthew.garman at gmail.com>

Our environment has several "classes" of servers, such as
"development", "production", "qa", "utility", etc.  Then we have all
our users.  There's no obvious mapping between users and server class.
Some users may have access to only one class, some may span multiple
classes, etc.  And for maximum complexity, some classes of machines
use local (i.e. /etc/passwd, /etc/shadow) authentication, others use

With enough users and enough classes, it gets to be more than one can
easily manage with a simple spreadsheet or other crude mechanism.
Plus the ever-growing risk of giving a user access to a class he
shouldn't have.

Is there a simple centralized solution that can simplify the
management of this?  One caveat though is that our "production" class
machines should not have any external dependencies.  These are
business-critical, so we try to minimize any single point of failure
(e.g. a central server).  Plus the production class machines are
distributed in multiple remote locations.

Any thoughts?