Our environment has several “classes” of servers, such as
“development”, “production”, “qa”, “utility”, etc. Then we have all our users. There’s no obvious mapping between users and server class. Some users may have access to only one class, some may span multiple classes, etc. And for maximum complexity, some classes of machines use local (i.e. /etc/passwd, /etc/shadow) authentication, others use Kerberos.
With enough users and enough classes, it gets to be more than one can easily manage with a simple spreadsheet or other crude mechanism. Plus the ever-growing risk of giving a user access to a class he shouldn’t have.
Is there a simple centralized solution that can simplify the management of this? One caveat though is that our “production” class machines should not have any external dependencies. These are business-critical, so we try to minimize any single point of failure
(e.g. a central server). Plus the production class machines are distributed in multiple remote locations.