Igor Sutton wrote: > You can write a PAM module that does these kind of authorization, by > grouping your servers e.g. serverA, serverB and serverC only allows > users having memberOf oracleDBA. It works here in the company I work > for, and can suit yours too. I think this approach is nice because you > can centralize all administration to one write server, and then > replicate to your slave servers. > > Just one more idea :) > > You will need to consider what users gain access to what servers. You > create profiles for your different server types which contain the search > query that locates a user. Normally it is simple such as 'uid=%user' > where %user is the name supplied by the login process. Since you may > not > want all users to log into all servers you might have the filter for > oracle servers set like '&((uid=%user)(memberOf=oracleDBA))'. A user > record may look like: > > dn: uid=robertc,ou=people,dc=example,dc=com > objectclass: person (+ other objectclasses) > uid: robertc > memberOf: oracleDBA > memberOf: lotusnotesDBA > ... > >
You can distribute your users with LDAP. Authenticate via PAM and use pam_listfile to restrict the users for your services. You can manage these lists (per service) with cfengine. You can merge lists for different tasks on a host to a single list of users allowed for login per ssh. From the same set of lists you can also generate the User_Alias entrys in your sudoers file to configure sudo. And of course you manage your sudoers file via cfengine: Groups: AdminA, AdminB, OracleDBA,LotusDBA Allowed for login via ssh (look for duplicates): HostA: AdminA, OracleDBA HostB: AdminA, LotusDBA HostC: AdminB, OracleDBA sudoers for HostA, HostC: Cmnd_Alias: ORACLE_CMD=what you need as Oracle Admin User_Alias: ORACLE=list from OracleDBA-File ORACLE All= ORACLE_CMD sudoers for HostB: Cmnd_Alias: LOTUS_CMD=what you need as Lotus Admin User_Alias: LOTUS=list from LotusDBA-File LOTUS All= LOTUS_CMD Berthold Cogel _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org http://cfengine.org/mailman/listinfo/help-cfengine
