managing groups and users question

[grob]

I inherited 40 Red Hat 4.x servers that were each set up as an
individual server. As a result of a recent audit we implemented 60
day passwords. Unfortunately this means that every 60 days each user
needs to log into 40 different servers and change their passwords.

I was wondering what you are using for managing groups and users, and
what would you recommend for a Linux admin with average skills. I was
thinking that Directory Services might be the answer, but I was
looking for other possible recommendations.

thanks,
Ben

[Kit Peters]

You could do OpenLDAP.  How many users do you have on each of those servers?

--
GPG public key fingerpint: 1A12 04B6 0C80 306A B292  14FD 2C7A 1037 F666 46A7

[Daniel Matthis]

We haver several hundred Linux boxes and LDAP works well for it. Tricky part is managing groups for the different servers. We have many different groups for the different servers which requires more administrative overhead. 

Less groups, less overhead, but less granular control. If your 40 systems all have similar permissions then it should be pretty easy otherwise it may require some additional help to get every thing figured out.

--
- Daniel

[grob]

We have about 15 users and just about 4 groups. It's mostly just an
Oracle ERP enviornment so all the servers have the same users and
permissions.

thanks,

> 46A7- Hide quoted text -
>
> - Show quoted text -

[Daniel Matthis]

LDAP should work. As a side not "puppet" has been working well for us to keep clustered systems to stay the same.

--
- Daniel

[Jeffrey Watts]

I agree with the others, LDAP is the best way to go.   If you're not already using Satellite or Spacewalk, you ought to look into that as well.

Jeffrey.

On Wed, Jun 24, 2009 at 1:38 PM, Daniel Matthis <daniel....@gmail.com> wrote:

LDAP should work. As a side not "puppet" has been working well for us to keep clustered systems to stay the same.

 

--

"He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine

[Glenn Robuck]

What are Satellite and Spacewalk?

[Jeffrey Watts]

They are Red Hat's management framework for Linux systems.  They provide monitoring, provisioning, configuration deployment, and inventorying.

Satellite is the product that Red Hat sells.  Spacewalk is the upstream open source product.  Spacewalk is to Satellite as Fedora is to RHEL.

http://www.redhat.com/spacewalk/
http://www.redhat.com/red_hat_network/

Jeffrey.

On Wed, Jun 24, 2009 at 1:49 PM, Glenn Robuck <techra...@gmail.com> wrote:

What are Satellite and Spacewalk?

[Rezty Felty]

Has Spacewalk been ported to ther *nixes, like Solaris?
Rezty Felty, MCSE
SysAdmin
Sourcecorp

9133697789 Home Re...@KC-Felty.net
8168089969 Personal Cell fel...@sprintpcs.com
9136203683 Work 91362...@txt.att.net
MSN rusty...@hotmail.com
YIM HiRez_L
AIM HiRezL
ICQ 1932818
Googletalk Re...@KC-Felty.Net

[Jeffrey Watts]

Currently it only runs on RHEL5 and Fedora 9 & 10.  Fedora 11 support is coming in three weeks.  I believe there is some limited support for managing Solaris systems from it, however.

Jeffrey.

On Wed, Jun 24, 2009 at 2:30 PM, Rezty Felty <rfe...@kc-felty.net> wrote:

Has Spacewalk been ported to ther *nixes, like Solaris?
Rezty Felty, MCSE
SysAdmin
Sourcecorp

[gladi...@gmail.com]

Dunno. Maybe I've just never accepted the burden of mastering berkely
db as a prerequisite for using any application that depends on it.
Maybe I just suck.

Anyway, I've yet to work with OpenLDAP for an extended time w/out it
regularly erm... having a Giant Bowel Movement(tm) periodically that
would require a restoration from an ldiff backup.

Since you have a fairly small number of users, I'd suggest skipping
openldap and going with a pam back-end such as postgre (or mysql or
oracle or db2 running on the z10 we all know you're not telling us
about) You'll get the same functionality without having to fight the
urge to punch yourself in the Sensitive Bits(tm).

<tangent>
To those that might think I'm on something re: OpenLDAP/BDB stability,
how often do you have parallel updates on your directory? Analysis of
usage patterns in the environments I had difficulty with generally
involved near-simultaneous updates of user account data from various
interfaces. If you've solved the db corruption issue, I'd love to
hear about. I like the idea of OpenLDAP, but at this point, I'll not
implement a system with it again w/out utilizing an rdbms for back-end
storage.
</tangent>

-Stephen

[Nick Anderson]

gladi...@gmail.com wrote:
> Since you have a fairly small number of users, I'd suggest skipping
> openldap and going with a pam back-end such as postgre (or mysql or
> oracle or db2 running on the z10 we all know you're not telling us

> ...

> <tangent>
> To those that might think I'm on something re: OpenLDAP/BDB stability,
> how often do you have parallel updates on your directory? Analysis of
> usage patterns in the environments I had difficulty with generally
> involved near-simultaneous updates of user account data from various
> interfaces. If you've solved the db corruption issue, I'd love to
> hear about. I like the idea of OpenLDAP, but at this point, I'll not
> implement a system with it again w/out utilizing an rdbms for back-end
> storage.
> </tangent>
>

I had the same issue with openLDAP . The BDB would eat itself
occasionally. I did not even have concurrent writes and it would still
cock itself up. I did notice that mine seemed to happen at the season
changes (specifically winter into summer). Its a bit odd but it seemed
to happen more frequently around that time then not happen again for
about 9 months.

Its possible to use another database as a backend for openLDAP but I
never tried it. I would recommend. What I would like to know is how to
make windows XP authenticate directly against a database. I guess Vista
supports Credential Providors like pam according to a quick google.
Anyone tried that? Then it would be possible to just remove ldap from
the mix and have things authenticate against databases that dont eat
themselves.

Note: I'm coming from the side of using samba + LDAP as a domain
controller for central authentication so that would be my main interest.

Of course i suppose you could just regurlary jam your user database into
ldap for the needed ldap support.

[gladi...@gmail.com]

Indeed. In that sort of situation, I would leave OpenLDAP as a front-
end to the database to support LDAPish things such as Win32 auth or
calendar features.

[David Hageman]

I don't recommend spacewalk for most sysadmins and users right now. The
only supported database is Oracle. PostgreSQL support is coming, but it
is coming very very slowly.

Jeffrey Watts wrote:
> They are Red Hat's management framework for Linux systems. They provide
> monitoring, provisioning, configuration deployment, and inventorying.
>
> Satellite is the product that Red Hat sells. Spacewalk is the upstream
> open source product. Spacewalk is to Satellite as Fedora is to RHEL.
>
> http://www.redhat.com/spacewalk/
> http://www.redhat.com/red_hat_network/
>
> Jeffrey.
>
>
> On Wed, Jun 24, 2009 at 1:49 PM, Glenn Robuck <techra...@gmail.com
> <mailto:techra...@gmail.com>> wrote:
>
> What are Satellite and Spacewalk?
>

--
========================================================
David Hageman <dhag...@dracken.com>
Dracken Technology, Inc. http://www.dracken.com/
========================================================

[David Hageman]

I ran into similar issues a couple of years ago, but for the last year
or two I have had no issues with OpenLDAP/BDB combination. In fact, it
has worked exceedingly well.

I also would have recommended the OpenLDAP/RDBMS a couple of years ago.
I think this is because I really those type of databases. They just
make sense to me. I wouldn't recommend it today unless you are
retrofitting a legacy SQL database into something accessed by more
modern tools. Why? It just makes the system that much more
complicated. If there is corruption - restoring from a ldif dump is
quick and easy. If you are seriously worried - go ahead and setup a
master/slave for your openldap systems. It works great!

[Nick Anderson]

On Jun 25, 2009, at 6:46 PM, David Hageman <dhag...@dracken.com> wrote:

>
> I don't recommend spacewalk for most sysadmins and users right now.

I would say to look into puppett.

[Jeffrey Watts]

Dave, you can use Oracle XE for free with Spacewalk.  Or, you can wait three weeks when PostgreSQL support will be released.  Red Hat is aggressively developing Spacewalk right now, there's a lot of really cool things coming.

https://fedorahosted.org/spacewalk/wiki/SpacewalkFaq

Jeffrey.

On Thu, Jun 25, 2009 at 6:46 PM, David Hageman <dhag...@dracken.com> wrote:

I don't recommend spacewalk for most sysadmins and users right now.  The
only supported database is Oracle.  PostgreSQL support is coming, but it
is coming very very slowly.

[David Hageman]

I am aware that you can use Oracle XE for Spacewalk. My complaint about
Spacewalk isn't the cost of Oracle. My complaint about the use of
Oracle is that it is resource intensive in terms of both hardware and
administration. I want it to save me time - not make my life more
complicated.

I have been following the work on Spacewalk since it was announced. At
my day job I manage close to 100 linux boxes with 1000+ users - I am
always looking for ways to make my life easier. Porting to postgresql
has been no easy task for the developers of Spacewalk. I follow the
-devel mailing list and I think you read the milestone page wrong. Full
postgresql support is 5 months out and I believe it will probably bit
longer before it is truly usable.

I use just a few tools at work to manage all of those machines:

cobbler
func
yum
a few shell scripts

The only major hardware requirement is disk space for mirroring the
software repositories. This has served me well for over two years now.

As someone who has done this type of administration for quite a few
years - I just can't recommend spacewalk at this time for system
administrators and casual users.

--
========================================================
D. Hageman <dhag...@dracken.com>

[Justin Dugger]

On Thu, Jun 25, 2009 at 11:32 PM, Jeffrey
Watts<jeffrey...@gmail.com> wrote:
> Dave, you can use Oracle XE for free with Spacewalk.  Or, you can wait three
> weeks when PostgreSQL support will be released.  Red Hat is aggressively
> developing Spacewalk right now, there's a lot of really cool things coming.

Wasn't Redhat the group that developed Satellite?

[Jeffrey Watts]

We must work in different environs.  I don't think Oracle XE has very dramatic hardware requirements for a modern system.  Regardless, use what you want, but I don't think it's prudent to tell someone to go elsewhere when there's a perfectly good solution available for what he's likely wanting to do.

He's operating in a Red Hat environment, so I suggested that he look at Satellite/Spacewalk in addition to LDAP for authentication.  Yes, there are other tools but I'm trying to give him the "simplest" path.

If you don't think Spacewalk is ready for prime time for Fedora/CentOS use, great.  But I don't see how that affects him, as he'd be looking at using Satellite.

Jeffrey.

On Fri, Jun 26, 2009 at 12:11 AM, David Hageman <dhag...@dracken.com> wrote:

I am aware that you can use Oracle XE for Spacewalk.  My complaint about
Spacewalk isn't the cost of Oracle.  My complaint about the use of
Oracle is that it is resource intensive in terms of both hardware and
administration.  I want it to save me time - not make my life more
complicated.

I have been following the work on Spacewalk since it was announced.  At
my day job I manage close to 100 linux boxes with 1000+ users - I am
always looking for ways to make my life easier.  Porting to postgresql
has been no easy task for the developers of Spacewalk. I follow the
-devel mailing list and I think you read the milestone page wrong. Full
postgresql support is 5 months out and I believe it will probably bit
longer before it is truly usable.

I use just a few tools at work to manage all of those machines:

cobbler
func
yum
a few shell scripts

The only major hardware requirement is disk space for mirroring the
software repositories.  This has served me well for over two years now.

As someone who has done this type of administration for quite a few
years - I just can't recommend spacewalk at this time for system
administrators and casual users.

[Jeffrey Watts]

Yes.  They are opening up the development model for Satellite.  Spacewalk is the new upstream for Satellite.

Jeffrey.

[Daniel Matthis]

LDAP has worked fine for us but we have either used Novel or Active Directory to do it. 

--
- Daniel