[ale] Managing passwd and sudoers files on multiple servers.

JD jdp at algoloma.com
Fri Aug 22 08:22:29 EDT 2014


Sounds like NIS/NIS+.

I looked a few months ago and the debian port of freeIPA seemed stalled over the
50+ different languages used in the 100+ tiny tools that make up the offering. A
few of the key tools didn't work on Debian. I'm exaggerating a little, but not
much.  Have things changed?


On 08/22/2014 07:59 AM, Jim Kinney wrote:
> Bite the bullet and look at freeIPA. It's designed to run AD out of the
> workplace.
> The clincher for me was the hostgroup. All users are in a primary group and
> as many secondary groups as needed. Hosts are also in groups or not. User
> groups of the proper type can access host groups as allowed. This can also
> setup sudo capabilities by user, user group, host and host group. So a
> script that runs as root that does a particular needed task can be deployed
> to all systems but only accessed by allowed users on allowed hosts. Time
> controls exist as well.
> 
> Backups of freeIPA are a bit unnerving. They basically don't exist other
> than turn down the service and copy all files. What is used is the multi
> master replication.
> 
> I have 2 primary masters that are department wide. There's a new group in a
> remote location that has their own big server. It's a secondary master.
> Masters run DNS as well as user with. So the clients in that group use that
> as their primary DNS and the others as secondary. If network is flaky, they
> have only a single switch between client and server. And the server stays
> synchronized with the larger group.
> A really nice feature if freeIPA is it can hold ssh pub keys for users. SSh
> and Pam knows to check the LDAP for pub keys on login. For users, no more
> key migration. If you're allowed on that machine, it just works. For
> admins, if a user must be locked out, just dumping their key and locking
> the account to disabled handles it.
> 
> Yes, it's run/funded by RedHat now. Debian supports it but I found some
> blockers in Ubuntu (10 I think. Not tried 12). I don't know if SUSE has a
> pam/ssh compatible or not.
> It works. It works very well. Active support community with developers on
> the mailing list who help.
> 
> Added bonus is dogtag is used for CA and cert management. This can provide
> user certs for authenticated access to internal websites.
> On Aug 22, 2014 6:58 AM, "JD" <jdp at algoloma.com> wrote:
> 
>> On 08/22/2014 12:19 AM, Jeff Hubbs wrote:
>>> On 8/21/14, 11:43 PM, JD wrote:
>>>> NIS if you don't care about security.
>>>>
>>>> LDAP if you do.  FreeIPA is the RH answer for this - I'm jealous.
>>> Agree re LDAP; if you're syncing passwd/group/sudoers files, you're
>> Doing It
>>> Wrong (tm).  I long advocated avoiding "X's LDAP solution" (for values
>> of X to
>>> include Red Hat and Microsoft) so you are motivated to keep things
>> simple and
>>> manageable and don't wind up in abandonwareland or experience
>>> embrace/extend/extinguish.
>>>
>>
>> So - if not puppet/ansible - then how should we be managing sudoers?
>> Teach me Obiwan.
>>
>> Please don't say eTrust. ;)
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.ale.org/pipermail/ale/attachments/20140822/7f67a92b/attachment.html>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 


-- 
JD Pflugrath
 Value | Results
Direct: +001.678.685.8882
Ofc: 1.866.963.2546
Managing Director
Algoloma Systems, LLC


More information about the Ale mailing list