0

I manage about 100 servers running Alma Linux 9.1, each with multiple users. Historically we've had a single account "admin" that everyone logs into when working on a server. I'm moving us over to individual LDAP users via SSSD but have hit a stumbling block with group membership.

Just as an example, on our ansible server the files under /etc/ansible belong to the admin user so that unprivileged users can work on them:

$ ls -lah /etc/ansible/
total 64K
drwxrwxr-x.   3 admin admin   71 Dec  7 11:11 .
drwxr-xr-x. 112 root  root  8.0K Jan 23 12:42 ..
-rw-rw-r--.   1 admin admin  614 Oct 14 11:28 ansible.cfg
-rw-rw-r--.   1 admin admin  377 Dec  7 11:11 ansible.conf
-rw-rw-r--.   1 admin admin  43K Feb 10 12:32 hosts
drwxr-xr-x.   2 admin admin    6 Oct 14 11:28 roles

Obviously ownership isn't going to help with multiple users needing to access the file, so we look at group membership. I can individually add users to a local group on a server but this is not scalable, and presents another step whenever new users are brought on.

I read a bit into the proposal for group merging but it seems like it's still unimplemented.

What I'd like is for any members of LDAP group x to be automatically added to local group y whenever they log in to any servers. Is this possible?

miken32
  • 942
  • 1
  • 13
  • 35
  • Don't have people logging into servers and making changes directly to shared files. Have them submit changes via a version control system that deploys them via a CI/CD pipeline. Now you have the opportunity for code review, change control, a useful change history (why did we make this change?), and you've sidestepped the whole issue of managing write access to shared files. – larsks Feb 11 '23 at 03:15
  • Alternately, if you already have LDAP groups, why not just make the files owned by an LDAP group that will be common across all the servers? – larsks Feb 11 '23 at 03:15
  • Honestly I wasn’t aware you could have files owned by ldap groups. Will look into that… – miken32 Feb 11 '23 at 03:25

0 Answers0