help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Account section (was Re: Editfiles convergence bug)


From: Luke A. Kanies
Subject: Re: Account section (was Re: Editfiles convergence bug)
Date: Wed, 19 Feb 2003 09:31:35 -0600 (CST)

On Wed, 19 Feb 2003, Jamie Wilkinson wrote:

> This one time, at band camp, Martin Andrews wrote:
> >I am interested in seeing the patch. I don't quite buy your ldap argument. I
> >certainly don't want all my web servers trying to add a webalizer account
> >into my LDAP directory.
>
> Let me clarify -- if your system has been set up to store *all* users in
> LDAP, and your useradd tool does the right thing by the name service switch,
> then the new user will be created in LDAP and not in /etc/passwd, right?

This is a lot harder to do in practice than in theory, btw.  It's one
thing to set up all of your servers to be able to connect to the LDAP
directory and read, and then allow all of your users to connect to the
LDAP directory and modify their own accounts; it's something else entirely
to set up your system such that any host on your network can add or remove
users.  That means that every host suddenly has some level of root on your
LDAP server which is difficult to maintain.

You'd probably want to set up a central server with those rights, and just
depend on it being there on the other hosts.

> So the LDAP part was a bit of a red herring -- I guess I was trying to show
> two examples at once.

It's a good point, though, and brings up one of the hardest aspects of
configuration management:  How do you manage configurations when you need
to rely on facts that aren't necessarily all local?  It's difficult, and
yet a very interesting pursuit.

Luke

-- 
Hiroshima '45               Chernobyl '86               Windows '95




reply via email to

[Prev in Thread] Current Thread [Next in Thread]