Remote administration for Mac OS X?

Question

I've inherited a Jenkins cluster of six Macs, all of which sit in a server room and are accessible on the internal network only, but have a shared admin user and VNC password for Mac OS X (To clarify: Jenkins software access controls are sorted, I'm not asking about that).

I'm not a devops or a network admin; I'm working under a few company policy constraints and I'm only filling in the role "temporarily" (read: part time, for maybe up to a year). But I would like to clean this up with the limited time I have available. Because my time and experience, in this area is limited, I delegate some admin tasks to 3 other people as needed. I want a solution that will stay between those people, and to not share a single password between them all, because users sharing an account/login is against my company policy (despite it happening now).

It would be great to have network user logins, but given that this is not set up, I am thinking of creating local accounts for each admin with VNC access (through standard Mac OS X Screen Sharing). However, I'm worried about 4 GUI sessions being run in a machine that is meant to be crunching away for us. Will this cause problems or session time outs or the like?

What are my options here, and what would be a common approach when you need 6 admins to have VNC access, but individual passwords/accounts?

Answer 1

Open Directory (Apple's LDAP implementation) is probably what you're looking for.

If you don't want to be bothered setting that up, yes, local accounts for each admin on each server would work... but that would be 24 accounts to set up, so it seems like setting up LDAP would be quicker and easier.

If you're married to VNC, many implementations allow LDAP-based authentication, though personally, my feeling would be that if you need the GUI to administer a server, you have no business administering a server, so here's SSH.

As to the CPU load with VNC, it shouldn't be high enough to make a significant difference (usually a few % at most), though I'd still prefer offering SSH access only, unless I got a really compelling reason for why the admins need a GUI. In the case that a GUI is required, it's probably worth looking into RDP as an option as well.