Linux – Sync user accounts over multiple linux servers

authenticationlinuxUbuntuuser-management

What is the best way to sync multiple user accounts and home directories over multiple servers, they will all be the same OS. The servers are in different locations around the world, so if one goes down the others are still available. at the moment there are users on one server but if that server goes down there is no way, other than re-creating users and rsyncing the directories over. So just wondering if there is a better way? I haven't used LDAP but could this be a job for it or not?

Best Answer

I'd recommend starting to use a config management system (Puppet and Chef are two good options at the moment) to deploy user/group data to your servers.

Ideally, you'd have one central LDAP or NIS server, but due to your distributed nature, using a config management system to keep your local user/group databases in sync would be a better option for you.

Related Solutions

Linux – create home directories after create users

This might sound like a silly idea, but if the users aren't actually doing anything, you could do:

cat /etc/passwd | cut -f 1 -d : >/tmp/users.list

Then edit /tmp/users.list to only contain the users you want. Then do:


for i in `cat /tmp/users.list`
do
    userdel $i
    useradd -m $i
done

However, many Redhat based distributions will create you a new home directory when you first login, providing it is specified in /etc/passwd where the directory should be.

To test that, do an "su - " and see if it does "the right thing". If it doesn't, the above script will work quite nicely, I think.

Ldap – Authenticating Apache HTTPd against multiple LDAP servers with expired accounts

The AuthzLDAPAuthoritative off directive will let authentication fall through to the next module only if the user cannot be matched to a DN in the query. Currently even though the user is expired, it seems that their account will still be returned as a result when the LDAP query is performed.

I don't know enough about the ActiveDirectory LDAP schema to give a definite answer here, but if you could add a filter to your AuthLDAPURL directive that filters out expired accounts it should result in the username not matching any DN in the query. This should result in the authentication falling through to the next module.

Best Answer

Related Solutions

Linux – create home directories after create users

Ldap – Authenticating Apache HTTPd against multiple LDAP servers with expired accounts

Related Topic