Professional Web Applications Themes

centralized auth, but limits on logins - Sun Solaris

I would like to get some recommendations from folks, on how they believe the best way of handlin the following is: assume a datacenter with 200 solaris boxes. They are organized into groups of around 10-20 boxes per functional locality. The grouping is done approximately as follows: (business unit) - production (business unit) - staging and occasionally (business unit) - development We can have any one particular tech person (lets say a DBA) have privs for all machines in a business unit...or just prod. Or, all *database* machines, but not app-servers, or web servers. What would people recommend as the ...

  1. #1

    Default centralized auth, but limits on logins


    I would like to get some recommendations from folks, on how they believe
    the best way of handlin the following is:


    assume a datacenter with 200 solaris boxes.
    They are organized into groups of around 10-20 boxes per functional
    locality. The grouping is done approximately as follows:

    (business unit) - production
    (business unit) - staging

    and occasionally
    (business unit) - development


    We can have any one particular tech person (lets say a DBA) have privs
    for all machines in a business unit...or just prod.
    Or, all *database* machines, but not app-servers, or web servers.


    What would people recommend as the best mechanism to manage this, that
    involves the least amount of tweaking each individual machine?


    Currently, we use "sudo", with access given by group. But this still
    involves going into each individual machine's /etc/group,and making
    sure the person's account is in the right group(s) for that box.



    --
    http://www.blastwave.org/ for solaris pre-packaged binaries with pkg-get
    Organized by the author of pkg-get
    [Trim the no-bots from my address to reply to me by email!]
    S.1618 http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:D
    http://www.spamlaws.com/state/ca1.html
    Philip Guest

  2. #2

    Default Re: centralized auth, but limits on logins

    On Thu, 25 Sep 2003 00:09:52 GMT in <slrnbn4cif.2crn.phil+com>,
    Philip Brown said something similar to:
    :
    : We can have any one particular tech person (lets say a DBA) have privs
    : for all machines in a business unit...or just prod.
    : Or, all *database* machines, but not app-servers, or web servers.
    :
    : What would people recommend as the best mechanism to manage this, that
    : involves the least amount of tweaking each individual machine?
    :
    : Currently, we use "sudo", with access given by group. But this still
    : involves going into each individual machine's /etc/group,and making
    : sure the person's account is in the right group(s) for that box.

    Rather than granting sudo access by local group membership, you could
    use combinations of User_Alias and Host_Alias in the sudoers file,
    and setup a system by which the sudoers file on each machine is
    periodically updated from a master copy.
    Mike Guest

  3. #3

    Default Re: centralized auth, but limits on logins

    In article <lusars.net>,
    Mike Delaney <org> wrote:
     

    Does sudo use a NIS map yet?

    --
    DeeDee, don't press that button! DeeDee! NO! Dee...



    Michael Guest

  4. #4

    Default Re: centralized auth, but limits on logins

    On Wed, 24 Sep 2003 19:10:36 -0700, org wrote: 

    That would kinda count as "tweaking each individual machine", plus it would
    make for a very looong sudoers file. We went to group-based sudo, to avoid
    this sort of thing :-/


    --
    http://www.blastwave.org/ for solaris pre-packaged binaries with pkg-get
    Organized by the author of pkg-get
    [Trim the no-bots from my address to reply to me by email!]
    S.1618 http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:D
    http://www.spamlaws.com/state/ca1.html
    Philip Guest

  5. #5

    Default Re: centralized auth, but limits on logins

    On Thu, 25 Sep 2003 19:17:11 GMT in <slrnbn6fpn.22vv.phil+com>,
    Philip Brown said something similar to:
    : On Wed, 24 Sep 2003 19:10:36 -0700, org wrote:
    : >On Thu, 25 Sep 2003 00:09:52 GMT in <slrnbn4cif.2crn.phil+com>,
    : >Philip Brown said something similar to:
    : >: ...
    : >: What would people recommend as the best mechanism to manage this, that
    : >: involves the least amount of tweaking each individual machine?
    : >
    : >Rather than granting sudo access by local group membership, you could
    : >use combinations of User_Alias and Host_Alias in the sudoers file,
    : >and setup a system by which the sudoers file on each machine is
    : >periodically updated from a master copy.
    :
    : That would kinda count as "tweaking each individual machine", plus it would
    : make for a very looong sudoers file. We went to group-based sudo, to avoid
    : this sort of thing :-/

    Well, to me setting up a cron job on each machine once beats regularly
    adjusting local group memberships on individual machines for "least
    amount of tweaking", but YMMV. I can't argue with a desire to keep
    the sudoers file at a manageable size, though.

    I suppose you could use netgroups rather than local groups for your
    User_Lists, but if you've got as many access permutations as you
    seem to be implying, that could quickly turn into a large hairball
    as well. (That, and you may not want the "who has what access on
    what machine" information to be accessible to anyone who can run
    ypcat.)
    Mike Guest

  6. #6

    Default Re: centralized auth, but limits on logins

    On Fri, 26 Sep 2003 18:58:32 -0700, org wrote: 

    not to mention, no way in hell we're running NIS :-)

    We might have considered NIS+, except that sun is phasing it out. sigh.
    So, need some other secure mechanism(s)

    Is there an expert on moira in the house?



    --
    http://www.blastwave.org/ for solaris pre-packaged binaries with pkg-get
    Organized by the author of pkg-get
    [Trim the no-bots from my address to reply to me by email!]
    S.1618 http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:D
    http://www.spamlaws.com/state/ca1.html
    Philip Guest

Similar Threads

  1. Forms Auth Info passed to Windows Auth?
    By golem_95@yahoo.com in forum ASP.NET Security
    Replies: 1
    Last Post: May 3rd, 11:47 AM
  2. centralized cron
    By ITchick in forum Linux / Unix Administration
    Replies: 3
    Last Post: September 9th, 05:40 PM
  3. Configuring Windows Auth & Forms Auth in Asp.Net
    By Chris Mohan in forum ASP.NET Security
    Replies: 2
    Last Post: April 29th, 06:46 AM
  4. Distributed Vs. Centralized Database Approach
    By coldfusion in forum Oracle Server
    Replies: 6
    Last Post: October 30th, 05:31 AM
  5. centralized user management for AIX-Servers?
    By Guenther Bergmann in forum AIX
    Replies: 2
    Last Post: September 10th, 01:46 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139