On Thursday 25 Feb 2010 15:39:09 Andrew Schulman wrote:
> > I also manage users using AD (and likewise-open deployed with puppet),
> > and I've had a similar issue.
> > I couldn't find an elegant way to deploy ssh public keys "only if" the
> > home dir exists.
> >
> > I do NOT want the user homedir to be created by puppet!  (It must be
> > created by likewise-open if the user logs in.)
> > I also don't want errors to occur if the user folder doesn't exist. So I
> > need a "conditional" like:
> >
> > "IF homedir exists => deploy .ssh/authorized_keys , else do nothing"
> >
> > As far as I know this is not possible with puppet.
> 
> Marcello, I want to understand your use case.  AD and LDAP seem to be
> fairly common in Puppet installations, and I'd like for ssh::auth to work
> well with them.  But I'm not that familiar with them.
> 
> Are you saying that once a user is authorized for a host (or the whole
> domain), the user exists on that host, but his/her home directory doesn't,
> until they first log in?

Yes.

> When the user logs in, is his/her home directory automounted from a network
> share?  In that case, the place to deploy the ssh keys would be in the
> user's home directory on the file server.  Or, is the home directory
> created locally on the host the first time the user logs in?

That depends, it is separate from LDAP integration.  In basic setup directory 
is simply created (from /etc/skel IIRC) when the user logs in.

> It would seem to me that once a user is authorized for a host, you'd want
> to create his/her ~/.ssh/authorized_keys right away, so they can log in by
> ssh.  If you can explain the sequence of how users get created and
> authorized and when their home directories get created, it would help me to
> address the need.

Yes, it is a bit of a chicken-and-egg problem because the way it works by 
default means first time the user has to log in using different method than SSH 
key auth.

Don't know, I had no brilliant ideas regarding this yet ;)  As it would seem 
for it to work first time the sshd on a host would need to check/pull user's 
key from the keymaster.

> 
> Andrew.
> 

Note that as I also mentioned before this means that there are no 'user' type 
resources in puppet (otherwise puppet would try to create them).

-- 
Michael Gliwinski
Henderson Group Information Services
9-11 Hightown Avenue, Newtownabby, BT36 4RT
Phone: 028 9034 3319

**********************************************************************************************
The information in this email is confidential and may be legally privileged.  
It is intended solely for the addressee and access to the email by anyone else 
is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or 
any action taken or omitted to be taken in reliance on it, is prohibited and 
may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail 
are subject to the terms and conditions expressed  in the governing client 
engagement leter or contract.
If you have received this email in error please notify 
supp...@henderson-group.com

John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, 
BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to