I inherited 40 Red Hat 4.x servers that were each set up as an
individual server. As a result of a recent audit we implemented 60
day passwords. Unfortunately this means that every 60 days each user
needs to log into 40 different servers and change their passwords.
I was wondering what you are using for managing groups and users, and
what would you recommend for a Linux admin with average skills. I was
thinking that Directory Services might be the answer, but I was
looking for other possible recommendations.
On Wed, Jun 24, 2009 at 11:06, grob <bcclay...@butlermfg.com> wrote:
> I inherited 40 Red Hat 4.x servers that were each set up as an
> individual server. As a result of a recent audit we implemented 60
> day passwords. Unfortunately this means that every 60 days each user
> needs to log into 40 different servers and change their passwords.
> I was wondering what you are using for managing groups and users, and
> what would you recommend for a Linux admin with average skills. I was
> thinking that Directory Services might be the answer, but I was
> looking for other possible recommendations.
We haver several hundred Linux boxes and LDAP works well for it. Tricky part
is managing groups for the different servers. We have many different groups
for the different servers which requires more administrative overhead.
Less groups, less overhead, but less granular control. If your 40 systems
all have similar permissions then it should be pretty easy otherwise it may
require some additional help to get every thing figured out.
On Wed, Jun 24, 2009 at 11:13 AM, Kit Peters <popefe...@gmail.com> wrote:
> You could do OpenLDAP. How many users do you have on each of those
> servers?
> On Wed, Jun 24, 2009 at 11:06, grob <bcclay...@butlermfg.com> wrote:
>> I inherited 40 Red Hat 4.x servers that were each set up as an
>> individual server. As a result of a recent audit we implemented 60
>> day passwords. Unfortunately this means that every 60 days each user
>> needs to log into 40 different servers and change their passwords.
>> I was wondering what you are using for managing groups and users, and
>> what would you recommend for a Linux admin with average skills. I was
>> thinking that Directory Services might be the answer, but I was
>> looking for other possible recommendations.
> You could do OpenLDAP. How many users do you have on each of those servers?
> On Wed, Jun 24, 2009 at 11:06, grob <bcclay...@butlermfg.com> wrote:
> > I inherited 40 Red Hat 4.x servers that were each set up as an
> > individual server. As a result of a recent audit we implemented 60
> > day passwords. Unfortunately this means that every 60 days each user
> > needs to log into 40 different servers and change their passwords.
> > I was wondering what you are using for managing groups and users, and
> > what would you recommend for a Linux admin with average skills. I was
> > thinking that Directory Services might be the answer, but I was
> > looking for other possible recommendations.
On Wed, Jun 24, 2009 at 1:28 PM, grob <bcclay...@butlermfg.com> wrote:
> We have about 15 users and just about 4 groups. It's mostly just an
> Oracle ERP enviornment so all the servers have the same users and
> permissions.
> thanks,
> On Jun 24, 11:13 am, Kit Peters <popefe...@gmail.com> wrote:
> > You could do OpenLDAP. How many users do you have on each of those
> servers?
> > On Wed, Jun 24, 2009 at 11:06, grob <bcclay...@butlermfg.com> wrote:
> > > I inherited 40 Red Hat 4.x servers that were each set up as an
> > > individual server. As a result of a recent audit we implemented 60
> > > day passwords. Unfortunately this means that every 60 days each user
> > > needs to log into 40 different servers and change their passwords.
> > > I was wondering what you are using for managing groups and users, and
> > > what would you recommend for a Linux admin with average skills. I was
> > > thinking that Directory Services might be the answer, but I was
> > > looking for other possible recommendations.
I agree with the others, LDAP is the best way to go. If you're not already using Satellite or Spacewalk, you ought to look into that as well.
Jeffrey.
On Wed, Jun 24, 2009 at 1:38 PM, Daniel Matthis <daniel.matt...@gmail.com>wrote:
> LDAP should work. As a side not "puppet" has been working well for us to > keep clustered systems to stay the same.
--
"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine
On Wed, Jun 24, 2009 at 1:49 PM, Glenn Robuck <techraving...@gmail.com>wrote:
> What are Satellite and Spacewalk?
--
"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine
> On Wed, Jun 24, 2009 at 1:49 PM, Glenn Robuck <techraving...@gmail.com>wrote:
>> What are Satellite and Spacewalk?
> --
> "He that would make his own liberty secure must guard even his enemy from
> oppression; for if he violates this duty he establishes a precedent that
> will reach to himself." -- Thomas Paine
Currently it only runs on RHEL5 and Fedora 9 & 10. Fedora 11 support is coming in three weeks. I believe there is some limited support for managing Solaris systems from it, however.
Jeffrey.
On Wed, Jun 24, 2009 at 2:30 PM, Rezty Felty <rfe...@kc-felty.net> wrote: > Has Spacewalk been ported to ther *nixes, like Solaris? > Rezty Felty, MCSE > SysAdmin > Sourcecorp
--
"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine
Dunno. Maybe I've just never accepted the burden of mastering berkely
db as a prerequisite for using any application that depends on it.
Maybe I just suck.
Anyway, I've yet to work with OpenLDAP for an extended time w/out it
regularly erm... having a Giant Bowel Movement(tm) periodically that
would require a restoration from an ldiff backup.
Since you have a fairly small number of users, I'd suggest skipping
openldap and going with a pam back-end such as postgre (or mysql or
oracle or db2 running on the z10 we all know you're not telling us
about) You'll get the same functionality without having to fight the
urge to punch yourself in the Sensitive Bits(tm).
<tangent>
To those that might think I'm on something re: OpenLDAP/BDB stability,
how often do you have parallel updates on your directory? Analysis of
usage patterns in the environments I had difficulty with generally
involved near-simultaneous updates of user account data from various
interfaces. If you've solved the db corruption issue, I'd love to
hear about. I like the idea of OpenLDAP, but at this point, I'll not
implement a system with it again w/out utilizing an rdbms for back-end
storage.
</tangent>
gladiat...@gmail.com wrote: > Since you have a fairly small number of users, I'd suggest skipping > openldap and going with a pam back-end such as postgre (or mysql or > oracle or db2 running on the z10 we all know you're not telling us > ... > <tangent> > To those that might think I'm on something re: OpenLDAP/BDB stability, > how often do you have parallel updates on your directory? Analysis of > usage patterns in the environments I had difficulty with generally > involved near-simultaneous updates of user account data from various > interfaces. If you've solved the db corruption issue, I'd love to > hear about. I like the idea of OpenLDAP, but at this point, I'll not > implement a system with it again w/out utilizing an rdbms for back-end > storage. > </tangent>
I had the same issue with openLDAP . The BDB would eat itself occasionally. I did not even have concurrent writes and it would still cock itself up. I did notice that mine seemed to happen at the season changes (specifically winter into summer). Its a bit odd but it seemed to happen more frequently around that time then not happen again for about 9 months.
Its possible to use another database as a backend for openLDAP but I never tried it. I would recommend. What I would like to know is how to make windows XP authenticate directly against a database. I guess Vista supports Credential Providors like pam according to a quick google. Anyone tried that? Then it would be possible to just remove ldap from the mix and have things authenticate against databases that dont eat themselves.
Note: I'm coming from the side of using samba + LDAP as a domain controller for central authentication so that would be my main interest.
Of course i suppose you could just regurlary jam your user database into ldap for the needed ldap support.
Indeed. In that sort of situation, I would leave OpenLDAP as a front-
end to the database to support LDAPish things such as Win32 auth or
calendar features.
I don't recommend spacewalk for most sysadmins and users right now. The only supported database is Oracle. PostgreSQL support is coming, but it is coming very very slowly.
Jeffrey Watts wrote: > They are Red Hat's management framework for Linux systems. They provide > monitoring, provisioning, configuration deployment, and inventorying.
> Satellite is the product that Red Hat sells. Spacewalk is the upstream > open source product. Spacewalk is to Satellite as Fedora is to RHEL.
> On Wed, Jun 24, 2009 at 1:49 PM, Glenn Robuck <techraving...@gmail.com > <mailto:techraving...@gmail.com>> wrote:
> What are Satellite and Spacewalk?
-- ======================================================== David Hageman <dhage...@dracken.com> Dracken Technology, Inc. http://www.dracken.com/ ========================================================
gladiat...@gmail.com wrote: > Dunno. Maybe I've just never accepted the burden of mastering berkely > db as a prerequisite for using any application that depends on it. > Maybe I just suck.
> Anyway, I've yet to work with OpenLDAP for an extended time w/out it > regularly erm... having a Giant Bowel Movement(tm) periodically that > would require a restoration from an ldiff backup.
> Since you have a fairly small number of users, I'd suggest skipping > openldap and going with a pam back-end such as postgre (or mysql or > oracle or db2 running on the z10 we all know you're not telling us > about) You'll get the same functionality without having to fight the > urge to punch yourself in the Sensitive Bits(tm).
> <tangent> > To those that might think I'm on something re: OpenLDAP/BDB stability, > how often do you have parallel updates on your directory? Analysis of > usage patterns in the environments I had difficulty with generally > involved near-simultaneous updates of user account data from various > interfaces. If you've solved the db corruption issue, I'd love to > hear about. I like the idea of OpenLDAP, but at this point, I'll not > implement a system with it again w/out utilizing an rdbms for back-end > storage. > </tangent>
I ran into similar issues a couple of years ago, but for the last year or two I have had no issues with OpenLDAP/BDB combination. In fact, it has worked exceedingly well.
I also would have recommended the OpenLDAP/RDBMS a couple of years ago. I think this is because I really those type of databases. They just make sense to me. I wouldn't recommend it today unless you are retrofitting a legacy SQL database into something accessed by more modern tools. Why? It just makes the system that much more complicated. If there is corruption - restoring from a ldif dump is quick and easy. If you are seriously worried - go ahead and setup a master/slave for your openldap systems. It works great!
-- ======================================================== David Hageman <dhage...@dracken.com> Dracken Technology, Inc. http://www.dracken.com/ ========================================================
Dave, you can use Oracle XE for free with Spacewalk. Or, you can wait three weeks when PostgreSQL support will be released. Red Hat is aggressively developing Spacewalk right now, there's a lot of really cool things coming.
On Thu, Jun 25, 2009 at 6:46 PM, David Hageman <dhage...@dracken.com> wrote:
> I don't recommend spacewalk for most sysadmins and users right now. The > only supported database is Oracle. PostgreSQL support is coming, but it > is coming very very slowly.
--
"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine
I am aware that you can use Oracle XE for Spacewalk. My complaint about Spacewalk isn't the cost of Oracle. My complaint about the use of Oracle is that it is resource intensive in terms of both hardware and administration. I want it to save me time - not make my life more complicated.
I have been following the work on Spacewalk since it was announced. At my day job I manage close to 100 linux boxes with 1000+ users - I am always looking for ways to make my life easier. Porting to postgresql has been no easy task for the developers of Spacewalk. I follow the -devel mailing list and I think you read the milestone page wrong. Full postgresql support is 5 months out and I believe it will probably bit longer before it is truly usable.
I use just a few tools at work to manage all of those machines:
cobbler
func
yum
a few shell scripts
The only major hardware requirement is disk space for mirroring the software repositories. This has served me well for over two years now.
As someone who has done this type of administration for quite a few years - I just can't recommend spacewalk at this time for system administrators and casual users.
Jeffrey Watts wrote:
> Dave, you can use Oracle XE for free with Spacewalk. Or, you can wait > three weeks when PostgreSQL support will be released. Red Hat is > aggressively developing Spacewalk right now, there's a lot of really > cool things coming.
> On Thu, Jun 25, 2009 at 6:46 PM, David Hageman <dhage...@dracken.com > <mailto:dhage...@dracken.com>> wrote:
> I don't recommend spacewalk for most sysadmins and users right now. The
> only supported database is Oracle. PostgreSQL support is coming, but it
> is coming very very slowly.
> --
> "He that would make his own liberty secure must guard even his enemy > from oppression; for if he violates this duty he establishes a precedent > that will reach to himself." -- Thomas Paine
-- ========================================================
D. Hageman <dhage...@dracken.com>
Dracken Technology, Inc. http://www.dracken.com/ ========================================================
Watts<jeffrey.w.wa...@gmail.com> wrote: > Dave, you can use Oracle XE for free with Spacewalk. Or, you can wait three > weeks when PostgreSQL support will be released. Red Hat is aggressively > developing Spacewalk right now, there's a lot of really cool things coming.
We must work in different environs. I don't think Oracle XE has very dramatic hardware requirements for a modern system. Regardless, use what you want, but I don't think it's prudent to tell someone to go elsewhere when there's a perfectly good solution available for what he's likely wanting to do.
He's operating in a Red Hat environment, so I suggested that he look at Satellite/Spacewalk in addition to LDAP for authentication. Yes, there are other tools but I'm trying to give him the "simplest" path.
If you don't think Spacewalk is ready for prime time for Fedora/CentOS use, great. But I don't see how that affects him, as he'd be looking at using Satellite.
Jeffrey.
On Fri, Jun 26, 2009 at 12:11 AM, David Hageman <dhage...@dracken.com>wrote:
> I am aware that you can use Oracle XE for Spacewalk. My complaint about > Spacewalk isn't the cost of Oracle. My complaint about the use of > Oracle is that it is resource intensive in terms of both hardware and > administration. I want it to save me time - not make my life more > complicated.
> I have been following the work on Spacewalk since it was announced. At > my day job I manage close to 100 linux boxes with 1000+ users - I am > always looking for ways to make my life easier. Porting to postgresql > has been no easy task for the developers of Spacewalk. I follow the > -devel mailing list and I think you read the milestone page wrong. Full > postgresql support is 5 months out and I believe it will probably bit > longer before it is truly usable.
> I use just a few tools at work to manage all of those machines:
> cobbler > func > yum > a few shell scripts
> The only major hardware requirement is disk space for mirroring the > software repositories. This has served me well for over two years now.
> As someone who has done this type of administration for quite a few > years - I just can't recommend spacewalk at this time for system > administrators and casual users.
--
"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine
Yes. They are opening up the development model for Satellite. Spacewalk is the new upstream for Satellite.
Jeffrey.
On Fri, Jun 26, 2009 at 1:01 AM, Justin Dugger <jldug...@gmail.com> wrote:
> On Thu, Jun 25, 2009 at 11:32 PM, Jeffrey > Watts<jeffrey.w.wa...@gmail.com> wrote: > > Dave, you can use Oracle XE for free with Spacewalk. Or, you can wait > three > > weeks when PostgreSQL support will be released. Red Hat is aggressively > > developing Spacewalk right now, there's a lot of really cool things > coming.
> Wasn't Redhat the group that developed Satellite?
--
"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine
> Yes. They are opening up the development model for Satellite. Spacewalk
> is the new upstream for Satellite.
> Jeffrey.
> On Fri, Jun 26, 2009 at 1:01 AM, Justin Dugger <jldug...@gmail.com> wrote:
>> On Thu, Jun 25, 2009 at 11:32 PM, Jeffrey
>> Watts<jeffrey.w.wa...@gmail.com> wrote:
>> > Dave, you can use Oracle XE for free with Spacewalk. Or, you can wait
>> three
>> > weeks when PostgreSQL support will be released. Red Hat is aggressively
>> > developing Spacewalk right now, there's a lot of really cool things
>> coming.
>> Wasn't Redhat the group that developed Satellite?
> --
> "He that would make his own liberty secure must guard even his enemy from
> oppression; for if he violates this duty he establishes a precedent that
> will reach to himself." -- Thomas Paine
|
