On Thursday 25 Feb 2010 15:39:09 Andrew Schulman wrote: > > I also manage users using AD (and likewise-open deployed with puppet), > > and I've had a similar issue. > > I couldn't find an elegant way to deploy ssh public keys "only if" the > > home dir exists. > > > > I do NOT want the user homedir to be created by puppet! (It must be > > created by likewise-open if the user logs in.) > > I also don't want errors to occur if the user folder doesn't exist. So I > > need a "conditional" like: > > > > "IF homedir exists => deploy .ssh/authorized_keys , else do nothing" > > > > As far as I know this is not possible with puppet. > > Marcello, I want to understand your use case. AD and LDAP seem to be > fairly common in Puppet installations, and I'd like for ssh::auth to work > well with them. But I'm not that familiar with them. > > Are you saying that once a user is authorized for a host (or the whole > domain), the user exists on that host, but his/her home directory doesn't, > until they first log in?
Yes. > When the user logs in, is his/her home directory automounted from a network > share? In that case, the place to deploy the ssh keys would be in the > user's home directory on the file server. Or, is the home directory > created locally on the host the first time the user logs in? That depends, it is separate from LDAP integration. In basic setup directory is simply created (from /etc/skel IIRC) when the user logs in. > It would seem to me that once a user is authorized for a host, you'd want > to create his/her ~/.ssh/authorized_keys right away, so they can log in by > ssh. If you can explain the sequence of how users get created and > authorized and when their home directories get created, it would help me to > address the need. Yes, it is a bit of a chicken-and-egg problem because the way it works by default means first time the user has to log in using different method than SSH key auth. Don't know, I had no brilliant ideas regarding this yet ;) As it would seem for it to work first time the sshd on a host would need to check/pull user's key from the keymaster. > > Andrew. > Note that as I also mentioned before this means that there are no 'user' type resources in puppet (otherwise puppet would try to create them). -- Michael Gliwinski Henderson Group Information Services 9-11 Hightown Avenue, Newtownabby, BT36 4RT Phone: 028 9034 3319 ********************************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract. If you have received this email in error please notify supp...@henderson-group.com John Henderson (Holdings) Ltd Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT. Registered in Northern Ireland Registration Number NI010588 Vat No.: 814 6399 12 ********************************************************************************* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.