

Ask HN: How do you deal with users on your machines? - donw

Hey, folks. Most of the software I build gets deployed to Actual Linux Boxes -- either virtual or metal -- and I have yet to find a good solution for user management on those machines.<p>These boxes nominally live in the cloud, and not in a datacenter that I control.<p>I&#x27;m looking for something that can automate the process of adding and removing shell users on a large number of boxes, including access to databases and such.<p>What does the HN community use to deal with this?
======
walterbell
openldap, pam_ldap, etc?

~~~
donw
Have set these up a number of times, but ran into some... fun problems:

1\. It's a central point of control. If I use a cloud-hosted LDAP service and
that gets 0wned by l33t haxx0rz, then I am in the soup.

2\. LDAP can't add/remove users to PostgreSQL et al.

3\. Even with NSCD, network connection hiccups can and will lock you out of
your machines, usually exactly at the time when you really need to be on them.

4\. LDAP flailover is a black art. I ended up having my entire authentication
infrastructure wedge itself shut during a "chaos monkey" testing run, where
the master went down and came back up, and then locked itself into eternal war
with its replacement.

~~~
walterbell
1\. What's the alternative, replication from an offline directory server? LDAP
server could be in a VPN, [http://stackoverflow.com/questions/22217567/create-
a-hybrid-...](http://stackoverflow.com/questions/22217567/create-a-hybrid-
cloud-between-aws-ec2-and-my-local-openstack-instance)

2\. Would need custom syncrepl client, e.g. [http://www.python-
ldap.org/doc/html/ldap-syncrepl.html](http://www.python-
ldap.org/doc/html/ldap-syncrepl.html)

3\. Just did some reading, apparently SSSD is the current best practice, it
can work with different backends, including AD & LDAP,
[http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-
au...](http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-auth-on-
linux/) & [http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-
au...](http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-auth-on-
linux/) &
[https://wiki.ubuntu.com/Enterprise/Authentication/sssd](https://wiki.ubuntu.com/Enterprise/Authentication/sssd)

4\. Was that with OpenLDAP? Perhaps MS AD (works with sssd) gets more high-
availabilty testing in the real world?

~~~
donw
Very informative set of links, I'll dig in -- thanks!.

