I'm trying to manage my userbase in puppet and having some trouble.
My setup: users exist in LDAP. Public keys exist in LDAP (I really
recommend this patch, see http://code.google.com/p/openssh-lpk/wiki/Main).
Some machines use NFS to mount an exported set of home directories;
others do not.
This means that very few user resources actually exist on most
servers, but PAM will still return a list of users from LDAP. So I
would like to make sure that if you are logging in, you are actually
logging in with LDAP--basically, I want to get rid of anything in /etc/
passwd. I add a resources clause to purge non-LDAP users:
resources { user:
purge => true,
unless_system_user => true,
}
Disaster, along with what appears to be a bug reporting a user found
'in both useradd and useradd' for each user that existed both on the
system and in LDAP:
Aug 5 06:22:11 nagios1 puppetd[32643]: Starting catalog run
Aug 5 06:22:11 nagios1 puppetd[32643]: User ben found in both useradd
and useradd; skipping the useradd version
Aug 5 06:22:11 nagios1 puppetd[32643]: User xyz found in both useradd
and useradd; skipping the useradd version
Aug 5 06:22:11 nagios1 puppetd[32643]: User nagios found in both
useradd and useradd; skipping the useradd version
Aug 5 06:22:16 nagios1 puppetd[32643]: (/User[xyz]/ensure) removed
... snip a bunch of LDAP users getting removed ...
Aug 5 06:22:20 nagios1 puppetd[32643]: (/User[ben]/ensure) change
from present to absent failed: Could not delete user ben: Execution of
'/usr/sbin/userdel ben' returned 8: userdel: user ben is currently
logged in
Aug 5 06:22:20 nagios1 puppetd[32643]: Finished catalog run in 8.82
seconds
Fortunately, my systems do not have write access to LDAP. Based on
this line in the type reference for resources, "Any metaparams
specified here will be passed on to any generated resources, " I tried
adding a 'provider' clause to the user resources but no dice. I'm not
sure manually setting it to useradd will actually do what I want
anyway.
I'm guessing puppet simply doesn't support what I'm looking for right
now, since LDAP users appear normally in most of the POSIX libraries.
Is that assumption correct?
If so, does anyone have any suggestions for how to manage this? I am
thinking I can make LDAP users be 200-300 or so and then the purge
will consider them system accounts and still purge anything over 500
created with useradd. I hate awkward solutions, though, and was
wondering if someone else has come across this before.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
