syncing user passwd information between servers

Garrett Cooper youshi10 at u.washington.edu
Fri Mar 9 05:08:01 UTC 2007 

Noah wrote:
> see more questions below?
> 
> Daniel Marsh wrote:
>> On 3/9/07, Noah <admin2 at enabled.com> wrote:
>>>
>>> Hi,
>>>
>>> I am trying to figure out the Best admininstrative way to do the
>>> following:
>>>
>>> We have two FreeBSD 6.2 servers and want to keep the passwd files in
>>> sync so all the same users can log into each machine, their UID's match,
>>> and when the update the password on one machine the other machine gets
>>> the password.  When we add the user to one machine then the other
>>> machine has an additional user too.
>>>
>>> What is the best scheme that we can devise to get this working
>>> technically well?
>>>
>>> Cheers,
>>>
>>
>> A couple of things can be done...
>> The first, and longest existing method would be to use NIS between the 
>> two
>> machines where one machine acts as a server, the other as a client to 
>> that
>> server, if the server goes down, no-one can login. (I havn't 
>> investigated in
>> backup NIS servers as I don't like NIS)
>>
> 
> yeah NIS does not feel like the right direction
> 
> 
>> The other option would be using LDAP (OpenLDAP), you'll install 
>> OpenLDAP on
>> both servers, one will act as a master, the other as a slave, each 
>> machine
>> will login against the ldap database running locally.
>> The master ldap will replicate to the slave to keep any user changes 
>> in tact
>> and up to date.
>> You'll need to install the pam_ldap and nss_ldap ports and may want to 
>> use
>> LDAP Account Manager (runs via PHP on Apache) to manage the user 
>> accounts.
> 
> 
> so the users would not be locked out of the second server if the master 
> LDAP server goes down, right?
> 
> cheers,
> 
> Noah
> 
> 
> 
>>
>> Another option may be to use a versioning system, one machine has a
>> versioning repository, you import /etc/ into the versioning system 
>> (CVS or
>> Subversion), when you make a change on a server to passwd's etc... you
>> commit the change and check it out on the other machine, maybe even 
>> making
>> use of merging changes so if two people, one on each machine, change 
>> their
>> passwords and they both commit you don't lose one of the password 
>> changes.

As was suggested to me about 4-5 months ago (may want to look in the 
archives), the best means to ensure user account info is synced is to 
use NIS (for credentials, like users, groups, NIS domain info, etc) and 
LDAP/Kerberos (authentication, passwords, etc).

-Garrett

More information about the freebsd-questions mailing list