www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: ASF LDAP Project - Update
Date Fri, 09 Jan 2009 23:16:27 GMT
Tony Stevenson wrote:

> This must not affect the current live system, in anyway what so ever.
> But I can do this, thanks, I have plenty of LDAP+HTTPD instances, some 
> may say too many.  :-)

There can never be too many :)

>> To insure against such problems while trying it out, I would suggest 
>> that you first set up ssh to allow you in directly as root via public 
>> key SSH, so that you have a way into root without a password (which 
>> could potentially be broken) or a normal user + su (which could also 
>> potentially be broken). Then, as a second measure, try it out on a 
>> virtual server that can be externally kicked if it goes completely 
>> pear shaped.
> 
> I doubt any of those countermeasures will be used. But we do have 
> console access to many of the servers, so we could deploy LDAP against 
> SSH, but not say login, with PAM perhaps.

If you fiddle with PAM, and accidentally make a mistake, you lock 
yourself out of the machine completely.

Access to the console won't help you: the reason you're potentially 
forced to drive to the datacentre, is because you have to boot the 
system on a rescue disk of some kind so that you can edit the config 
files and try again, or at worst, take the disk out of the machine and 
place it in another for editing.

When you're locked out of root, your system is a brick, and getting back 
your access to the config files to fix what is otherwise a simple typing 
error can be an extremely frustrating exercise.

Use a virtual server, and make sure you have a backdoor to root, before 
you touch any of the PAM config files, and you'll save yourself much pain.

>> Once you get it to work, test your config thoroughly to make sure your 
>> fallback works properly: kill the LDAP server, and ensure you can 
>> still get to the root account, or an /etc/passwd based system account, 
>> despite the LDAP server being off the air.
> 
> Yeah, well, that goes without saying. I dont want to be the one to flick 
> the on swicth for ~2000 users without testing :-)

I am not talking about any live deployment, I am talking about the 
testing you'll be doing to get the very first test system up and running.

Regards,
Graham
--

Mime
View raw message