OK, just playing around with it so far, but I think this will work.
I'm setting up a virtual machine to test it on right now. Tell me if
you think this is a good approach:
define authentication::ldap($server, $binddn, $bindpasswd, $adminuser
= "", $adminpass = "", $domain = "", $workgroup = "") {
class linux {
......
}
class mac {
exec {"restart com.apple.DirectoryServices":
command => "launchctl stop com.apple.DirectoryServices &&
launchctl start com.apple.DirectoryServices",
refreshonly => true,
}
#Set Active Directory plugin to active
exec {"activate AD plugin":
command => "defaults write /Library/Preferences/
DirectoryService/DirectoryService \"Active Directory\" Active",
#test if the Active Directory service is set to be active
unless => "test `defaults read /Library/Preferences/
DirectoryService/DirectoryService | grep \"Active Directory\" | awk
'{print $4}' | sed 's/;//'` == \"Active\"",
notify => Exec["restart com.apple.DirectoryServices"],
notify => Exec["join domain"],
}
exec {"join domain":
refreshonly => true,
command => "dsconfigad -f -u $adminuser -p $adminpass -
domain $domain",
}
}
case $operatingsystem {
"CentOS": {
include linux
Exec <| title == "authconfig-ldap" |>
}
"Darwin": {
include mac
}
}
}
On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>
>>
>>
>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <kcrw...@gmail.com>
>> wrote:
>>
>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>
>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.c...@gmail.com>
>>> wrote:
>>>
>>> Does anyone know how to go about joining Mac OS X Leopard to an
>>> Active
>>> Directory domain with puppet?
>>> Primarily it needs to be broken down in to doing LDAP authentication
>>> with a few attribute mappings and using kerberos for the password
>>> authentication.
>>>
>>> You're going to want to push out your DS preferences and then do
>>> an exec for the joining of the machine account I imagine, although
>>> you could do some of this with templates.....
>>>
>>> How were you doing this before Puppet?
>>>
>>> There are no native types now, because those of us doing the Mac
>>> stuff with Puppet don't work in AD environments :)
>>>
>>> I'm more than happy to spend time helping you work through this
>>> though Carl. I'm reasonably familiar with AD integration even
>>> though we don't do it here.
>>>
>>> This would be a great recipe to get up on the Puppet wiki.
>>
>> We are in a large AD environment using Puppet. We currently handle
>> the AD joining outside of Puppet with a python script in a launchd
>> job that runs at first boot, though we will probably be moving this
>> to Puppet.
>>
>> The typical steps are:
>> Make sure time server is set and time is set correctly ( ntpd.conf
>> or exec systemsetup )
>> Activate AD plugin by enabling it in DirectoryService.plist.
>> ( just a simple key value but I think you need to restart
>> DirectoryService for it to notice )
>> Configure AD plugin using dsconfigad options. ( this can take a
>> lot of options all of these just change key values in
>> ActiveDirectory.plist )
>> Join to domain using dsconfigad with a limited AD account and
>> password with permissions to add machines to your OU. ( this would
>> need to exec the dsconfigad command with username, password, OU,
>> machine join name. Unfortunately the password is passed to
>> dsconfigad in clear text as a parameter )
>> Set the authentication search path to Custom, and include your AD
>> domain node using dscl. ( dscl exec )
>>
>> We do manage the time server with Puppet and setting a couple of
>> mapping attributes in the AD plists.
>>
>> I'm happy to help you get this all working in Puppet as well.
>>
>> oh cool. I didn't realize you were doing AD integration Kyle.
>>
>> How are you ensuring that AD continues to be configured on the
>> clients? Does the python launchd job do all of this? Or are you
>> managing some components as Puppet resources?
>>
>> I've been thinking for a while about how to mange DirectoryService
>> nodes as native Puppet types, but there are so many attributes to
>> think about I'm not sure it actually simplifies matters all that
>> much...
>
> Yes, I've done a lot of AD integration work. The python script I
> wrote tests the configuration and scenarios related to AD Node
> status and takes action if necessary. The only part in Puppet so
> far is management of a couple AD plist keys.
>
> Agreed, DirectoryService node configuration can get complex. There
> may be lower hanging fruit like improved plist management that would
> help in all areas including DirectoryService.
>
> Kyle
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
