Personally, I would recommend NIS. It's relatively easy to get going, and,
like you noted earlier, can have several slave servers with one master
server. Run all your password change scripts on the master server, and the
slave servers will pick up the changes. If the master server were to go
down, the slaves will continue to know the last snapshot of the passwd,
group, etc files.
I don't know how many servers you have, but for example, we have two auth
servers, two web servers and two mail servers. Each auth server is running
RADIUS, and each of them runs NIS - one is the master, one is a slave. The
mail and web servers are running NIS in client mode - that is, they need to
talk to one of the NIS servers, either the master or slave, to authenticate
users. If one of the auth servers were to go down, obviously, all my NASes
would just flip over to the other RADIUS server, and all the web and mail
servers would start using the one NIS server that was still working. If
they BOTH go down, well, then my users aren't dialing in and then I've got a
lot more to worry about. :)
I can't really speak about LDAP because I haven't looked at it much -
although it _is_ a lot more flexible in terms of what sort of information
you can centralize. But if all you want to replicate are what's in the
/etc/passwd file right now, use NIS. It's better than scp-ing a bunch of
files around because if that sort of setup breaks at 2 AM, or you get an
incomplete copy of the password file on a box for some reason, you're going
to have no end of headaches tracking that down (the system I inherited did
the exact same thing - scp-ed the password files to six other boxes.) NIS,
once you get it going (and there are a ton of HOWTOs on the net - note that
you want the NIS ones and NOT the NIS+ ones) just works, and works well.
Failing _that_, you could always ask the people who gave you this advice for
help offlist. :)
Chris Kalin
----- Original Message -----
From: "Doug Schasteen" <dschast@xxxxxxxxxxxx>
To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, September 06, 2002 4:57 PM
Subject: Syncing user accounts between server
> Sorry if I'm getting off topic here, but I figure most of you are in the
> same boat as me when it comes to the fact that you don't want to have to
> set up user accounts on EVERY real server in your farm. When somebody
> needs a password reset, I can't imagine having to log in to 5 different
> servers to change the password on each of them.
>
> I've done a little bit of research on this, and it seems there are 2
> ways of using centralized authentication. They are LDAP and NIS. I don't
> personally like either of these, because my main reason for having
> multiple servers is actually for redundancy (if one server goes down, I
> have others). So what good is it to me if no one can log into the
> servers because the central authentication server is down? NIS seems to
> have one plausible solution, which is to run 1 master server and every
> other server be a slave server, but have each server set as a client to
> itself. That way the user accounts are propagating from the master to
> all of the slaves, but none of the slaves are relying on any other
> server for authentication. They are actually using themselves as their
> own authentication server.
>
> Does that sound right? Does anyone have any experience with doing that
> kind of a setup with NIS?
>
> My other idea would be simply to rsync all of the necessary files. I'm
> running FreeBSD on my real servers so I would just rsync /etc/group,
> /etc/passwd, /etc/master.passwd, and /etc/aliases. This way, all of my
> machines are using their normal authentication, but they all receive the
> newest set of user accounts and password files every minute (if I put
> the rsync commands in cron).
>
> What do you guys think? Let me know what you are doing to solve this
> problem.
>
> - Doug
>
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
>
|