Centralized Authentication with Puppet

Transcript

1. Centralized Authentication Using Puppet

2. Hello. I'm Clint Savage People online call me herlo I

   participate online in many places

3. Problem #1

4. Authentication and Authorization Jim is one of 10 web server

   administrators He needs access to each of the 20 web servers Replicating passwd, shadow and group files Across 20 machines isn't so bad, right?

5. Web servers are just one type of system in an

   infrastructure That won't scale! Replicating that much information will be a nightmare! What about the DB servers, monitoring systems, etc.? rsyncing /etc/passwd 400 times, several times a day? Ugh! What about the DB servers, monitoring systems, etc.?

6. Solution #1

7. Active Directory or LDAP / Kerberos In a mixed environment,

   AD makes sense Kerberos on Linux isn't simple to configure

8. We chose AD And enabled 'Identity Management for UNIX'

9. Adding Users Simply add a user in AD, then modify

   the UNIX attributes. Using UPG? Don't forget to add the user's group first Make sure to add the user to any needed supplemental groups

10. Name Service Switch (NSS) /etc/nsswitch.conf /etc/nsswitch.conf User lookup using AD's

    ldap tree User lookup using AD's ldap tree

11. OpenLDAP Client-side user lookup

12. Pluggable Authentication Modules (PAM) Used pam_krb5 and pam_access shared libraries

    Used pam_krb5 and pam_access shared libraries Modified some configurations in /etc/pam.d/ Modified some configurations in /etc/pam.d/

13. Kerberos v5 Client-side Active Directory authentication

14. This page intentionally filled with puppets

15. Problem #2

16. Having home directories on every server?? Users and Data No

    way! What about shell history, environment variables, etc? I don't want to download that shell script 400 times, do you?

17. Solution #2 This one is a bit more involved!

18. NFS or Samba? Both are viable options, which one to

    choose?

19. We chose NFS NFS is the de-facto standard network file

    sharing system on Linux Samba has great qualities as well. Sometimes it comes down to preference.

20. Autofs Enables automatic mounting of user's home directories Modify two

    configuration files Start the service and it's ready!

21. Later that day... The Scenario

22. CANDY!!!

23. Enter Puppet! Well, um, yeah. That's why we're here! Examples

    use version 0.25 Implementation details may differ in newer versions of puppet

24. Creating home directories Two basic functions: Two basic functions: get_ad_uids

    – gathers all UNIX uids from Active Directory get_ad_uids – gathers all UNIX uids from Active Directory get_ad_gidNumber – provides tooling for UPG get_ad_gidNumber – provides tooling for UPG Required writing some ruby. Documentation: http://docs.puppetlabs.com/guides/custom_functions.html

25. Creating home dirs (cont'd) class homedir-creator inherits homedir { package

    { "ruby-ldap": ensure => latest, } } define add_bash_files ($create_root) { $gidNum = get_ad_gidNumber($name) # should return a user's primary group id number file { "${create_root}/${name}/.bashrc": ensure => file, replace => false, owner => "${name}", group => "${gidNum}", Mode => "644", source => [ "puppet:///virt-users/homedir/bashrc.$hostname", "puppet:///virt-users/homedir/bashrc.$system_environment-$system_role", "puppet:///virt-users/homedir/bashrc.$system_role", "puppet:///virt-users/homedir/bashrc.$system_environment", "puppet:///virt-users/homedir/bashrc", ], } } (Also created .bash_profile and empty .bash_history in similar fashion)

26. Creating home dirs (cont'd) define ensure_homedirs { if $system_environment ==

    "production" { user_dirs { $name: create_root => "/homedirs/create" } add_bash_files { $name: create_root => "/homedirs/create" } } } define user_dirs ($create_root) { file { "${create_root}/${name}": ensure => directory, owner => "${name}", group => "root", mode => "750", } }

27. Caching Credentials This speeds up login immensely! If already authenticated,

    the next login(s) can be locally managed

28. System Security Services Daemon (SSSD) /etc/sssd/sssd.conf /etc/sssd/sssd.conf Offline caching of

    network credentials Offline caching of network credentials

29. Thank you for your attention! web: http://shadow-soft.com email: [email protected] Slides

    available @ http://speakerdeck.com/u/herlo/p/