diff options
| author | Andy Doan <andy.doan@linaro.org> | 2015-12-08 16:00:02 -0600 |
|---|---|---|
| committer | Andy Doan <andy.doan@linaro.org> | 2016-05-17 16:04:00 -0500 |
| commit | 1fa3267fd931f2ae0f809b996db4ace8d44fe7f1 (patch) | |
| tree | 6258b4ed8a116292b7a28034124abe6d101712db /roles/ssh-ldap/templates/ansible_sudoers | |
| parent | 7becb36280fc76b8da9794350666ab480588f5a3 (diff) | |
ssh-ldap: add a new way to configure ssh/ldap for systems
This is a deviation from sssd that gives us a really fast way to manage
LDAP groups/users. It uses the nss-updatedb program to pull down *all*
user and group information from LDAP (takes a couple of seconds). This
information is stored in the NSS "db" format, that can be configured via
nsswitch.conf. So all LDAP operations except for checking passwords can
be handled completely locally. Password checking (which is needed by sudo)
can be enhanced by using the libpam-ccreds which will cache a user's
password locally.
I also added something like a "tiered hierarchy" concept. Only one
system in the colo actually pulls down LDAP information. It keeps the
resulting DB in a directory exposed by Apache. All the other servers in
the colo simply grab the LDAP DB from this host. This reduces the load
on the LDAP server and it also makes the updates for all the systems in
the colo really quick.
Change-Id: If028d2adc7a88a7d8ae2a0a30c870a0c403883af
Diffstat (limited to 'roles/ssh-ldap/templates/ansible_sudoers')
| -rw-r--r-- | roles/ssh-ldap/templates/ansible_sudoers | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/roles/ssh-ldap/templates/ansible_sudoers b/roles/ssh-ldap/templates/ansible_sudoers new file mode 100644 index 00000000..0f063f8b --- /dev/null +++ b/roles/ssh-ldap/templates/ansible_sudoers @@ -0,0 +1,4 @@ +# !!MANAGED BY ANSIBLE!! +{% for user in sudoers %} +{{user}} ALL=(ALL:ALL) ALL +{% endfor %} |