I withdraw my question in shame :( Turns out one of my fellow madmins was overriding our new user creation calls and inserting a default password. Doh! Removing that solves the problem.
On Aug 31, 6:18 am, Michael Gliwinski <michael.gliwin...@henderson- group.com> wrote: > Hi Mark, > > We also use the combination of AD/LDAP + Puppet and I just checked and I don't > have any entries in shadow file for any AD users. I also checked the > provider code and in fact AFAICS it first checks if any changes need to be > applied (by comparing property values specified in manifest to values > returned by the provider). > > Note that in my manifests I only have user/group resources for those coming > from AD defined for dependency specification, without any attributes like UID > or GID set on them. > > What's your usage of them looks like? > > BTW I'm running 0.24.8 on CentOS-5. > > Michael > > On Friday 28 August 2009 15:29:38 Gajillion wrote: > > > > > All, > > We use LDAP authentication against Active Directory on our Linux > > systems. If a user is not in AD, they don't get into authenticated. > > We remove all AD authenticated user's shadow entry to keep the shadow > > expirations from interfering with authentication. However, the "user" > > type in puppet insists that a user have a shadow entry and re-creates > > it on every run. This forces us to put another bit of code that > > removes the shadow entry that Puppet just added. > > > This gives us the functionality that we need, but it also creates a > > whole bunch of notices and a flurry of unnecessary activity every time > > Puppet runs. Anyone have any ideas on who to create and manage users > > without forcing them to have a shadow entry at all? > > > Mark > > -- > Michael Gliwinski > Henderson Group Information Services > 9-11 Hightown Avenue, Newtownabby, BT36 4RT > Phone: 028 9034 3319 > > ********************************************************************************************** > The information in this email is confidential and may be legally privileged. > It is intended solely for the addressee and access to the email by anyone > else is unauthorised. > If you are not the intended recipient, any disclosure, copying, distribution > or any action taken or omitted to be taken in reliance on it, is prohibited > and may be unlawful. > When addressed to our clients, any opinions or advice contained in this > e-mail are subject to the terms and conditions expressed in the governing > client engagement leter or contract. > If you have received this email in error please notify > supp...@henderson-group.com > > John Henderson (Holdings) Ltd > Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern > Ireland, BT36 4RT. > Registered in Northern Ireland > Registration Number NI010588 > Vat No.: 814 6399 12 > ********************************************************************************* --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
