path: root/host_vars
diff options
authorAndy Doan <>2015-12-08 16:00:02 -0600
committerAndy Doan <>2016-08-08 19:00:34 +0000
commit05511bcae2f489df433b520722601d098fc5cbd2 (patch)
tree2be98701fa30ba2aab2b2a2b802a461ca9480c78 /host_vars
parentc94d88445e56df33c6ecf1b66738cbbadadccc3a (diff)
ssh-ldap: add a new way to configure ssh/ldap for systems
This is a deviation from sssd that gives us a really fast way to manage LDAP groups/users. It uses the nss-updatedb program to pull down *all* user and group information from LDAP (takes a couple of seconds). This information is stored in the NSS "db" format, that can be configured via nsswitch.conf. So all LDAP operations except for checking passwords can be handled completely locally. Password checking (which is needed by sudo) can be enhanced by using the libpam-ccreds which will cache a user's password locally. I also added something like a "tiered hierarchy" concept. Only one system in the colo actually pulls down LDAP information. It keeps the resulting DB in a directory exposed by Apache. All the other servers in the colo simply grab the LDAP DB from this host. This reduces the load on the LDAP server and it also makes the updates for all the systems in the colo really quick. Change-Id: If028d2adc7a88a7d8ae2a0a30c870a0c403883af Reviewed-on: Reviewed-by: Paul Sokolovsky <>
Diffstat (limited to 'host_vars')
1 files changed, 6 insertions, 7 deletions
diff --git a/host_vars/ b/host_vars/
index 5fcf796..a5766c6 100644
--- a/host_vars/
+++ b/host_vars/
@@ -1,10 +1,9 @@
- - andy.doan
- - ben.copeland
- - david.mandala
- - luca.sokoll
- - paul.sokolovsky
- - philip.colmer
+ldap_cache_url: ""
+ - aus-colo
+ - aus-colo-users
+ - users
# Infrastructure machines