We set up a separate root CA and used it to sign certificates on our puppetmasters. The puppetmasters then act as intermediate CAs and any client can connect to any puppetmaster. We then threw the puppetmasters behind our load balancer.
Interesting idea!
LDAP sucks a LOT when it breaks, and it seems to break a lot. The puppetmaster is much less volatile in my experience. I'm a big fan of puppetizing the puppetmaster; it makes it much easier when there's only a single process used for configuring servers. It hasn't caused any huge problems in our environment. Remember, if the puppetmasters is misconfigured badly enough that it isn't passing out configs, worst-case scenario is that you can't deploy new configs. Just log in to the puppetmaster and fix by hand. Whereas, with LDAP logins, worst case is you *can't* log in and fix (yikes!)
Yeah. In this case, our LDAP servers are also our puppetmaster servers, so they share responsibilities. Hence why I wanted to keep those boxes un-managed.
-Matt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
