SPS for Linux now leverages the Pluggable Authentication Module (PAM) provided in the Linux Standard Base (LSB). SPS no longer uses its private password file once located in
/opt/LifeKeeper/website/passwd. Instead, users are identified and authenticated against the system's PAM configuration. Privilege levels are determined from group membership as provided through PAM.
In order to access the GUI, a user must be a member in one of the three LifeKeeper groups:
lkguest. Membership in these groups should be set by the system administrator using whatever technique is appropriate for the type of user account database that is being used throughout the cluster.
These three LifeKeeper groups provide three different sets of permissions (see Permissions Table).
Users with Administrator permission (
lkadmin) throughout a cluster can perform all possible actions through the GUI.
Users with Operator permission (
lkoper) on a server can view LifeKeeper configuration and status information and can bring resources into service and take them out of service on that server.
Users with Guest permission (
lkguest) on a server can view LifeKeeper configuration and status information on that server.
During installation of the GUI package, the root user on the system is automatically added to the
lkadmin group in the system's local group database allowing root to perform all LifeKeeper tasks on that server via the GUI application or web client. If you plan to allow users other than root to use LifeKeeper GUI clients, then these LifeKeeper GUI users will need to be configured by adding them to the appropriate group.
If PAM is configured to use a non-local database such as NIS, LDAP or AD, then the system administrator must ensure that the accounts are correctly configured in those databases. The groups listed above must exist and users who are allowed to log into the LifeKeeper GUI must be a member of one of these groups. These groups should be created in the remote database only and they should be removed from the local
When upgrading from a version of LifeKeeper prior to 8.1.1, an attempt will be made to add any entries from the old
/opt/LifeKeeper/website/passwd to the new group membership mechanism. If the users do not get re-created, they will not be assigned to the corresponding LifeKeeper groups and will have to be added manually.
After upgrading to LifeKeeper 8.1.1 (or later), the default LifeKeeper GUI login will be ‘root’ (with the system’s ‘root’ password). The LifeKeeper GUI requires passwords on each system in the cluster to be the same.
If any system in the cluster is using an LK GUI password other than the system’s ‘root’ password, the LK GUI login will fail. Once the root passwords are the same on each system in the cluster, the LK GUI login for ‘root’ will succeed.
Note: To avoid confusion and maintain consistency if leveraging more complex PAM configurations such as LDAP, NIS or AD, it is recommended that all user and LifeKeeper group accounts exist prior to installing or upgrading SPS.
The best practice is to always grant permissions on a cluster-wide basis. It is possible to grant permissions on a single-server basis, but that is confusing to users and makes it impossible to perform administrative tasks.
© 2014 SIOS Technology Corp., the industry's leading provider of business continuity solutions, data replication for continuous data protection.
Open topic with navigation