I use nss-pam-ldapd and pam_ldap depending on the system, using an ldap filter 
to allow only certain groups per system. I prefer nss-pam-ldapd.

nss-pam-ldapd:

CentOS 6
Debian 6
Ubuntu 10.04

pam_ldap:

CentOS 5
FreeBSD 9

(Solaris is more like pam_ldap in configuration, but fairly unique.)

The manifests to deal with the above are essentially OS-specific.

On Thu, Jul 12, 2012 at 05:52:24PM +1000, Denmat wrote:
>    Puppet users and groups are fiddly. My current not implemented thinking is
>    to use ldap and manage pam_groups via puppet on the hosts to get the
>    granularity. 
>    More thinking out loud than anything else.
>    Den
> 
>    On 12/07/2012, at 6:03, Jo Rhett <[1]jrh...@netconsonance.com> wrote:
> 
>      I'm fighting with a ticklish issue.  We have some groups and users that
>      only belong on some systems. So we made all users virtual and then
>      realize them in classes specific to those system types.  This works
>      quite well for the users, but not for the groups. When you specify a
>      user, you have to list all the groups they are in. 
>               groups     => ['support',ops','dev'],
>       Obviously some groups aren't realized on all systems, so this produces
>      an error when usermod is run.
>              '/usr/sbin/usermod -G support,ops,dev jrhett' returned 6:
>      usermod: unknown group dev
>              usermod: unknown group dev
>      So I tried to get smarter, and put logic to add the group to each member
>      under the appropriate class
>              Class users::dev inherits users { 
>                      User['jrhett'] { groups +> ['dev'] }
>              }
>      This works� almost. It works for all instances where the user is only
>      subclassed once. But if I do the same technique in multiple classes I
>      get 
>      err: Could not retrieve catalog from remote server: Error 400 on SERVER:
>      Parameter 'groups' is already set on User_and_key[jrhett] by
>      #<Puppet::Resource::Type:0x7f4feed2d828> at
>      /etc/puppet/modules/users/manifests/support.pp:22; cannot redefine at
>      /etc/puppet/modules/users/manifests/dev.pp:27 on node
>      [2]s2-d1.company.com
>      So how can this be achieved, short of using an exec with an unless doing
>      another exec to determine if the group exists?
>      -- 
>      Jo Rhett
>      Net Consonance : net philanthropy to improve open source and internet
>      projects.
> 
>      --
>      You received this message because you are subscribed to the Google
>      Groups "Puppet Users" group.
>      To post to this group, send email to [3]puppet-users@googlegroups.com.
>      To unsubscribe from this group, send email to
>      [4]puppet-users+unsubscr...@googlegroups.com.
>      For more options, visit this group at
>      [5]http://groups.google.com/group/puppet-users?hl=en.
> 
>    --
>    You received this message because you are subscribed to the Google Groups
>    "Puppet Users" group.
>    To post to this group, send email to puppet-users@googlegroups.com.
>    To unsubscribe from this group, send email to
>    puppet-users+unsubscr...@googlegroups.com.
>    For more options, visit this group at
>    http://groups.google.com/group/puppet-users?hl=en.
> 
> References
> 
>    Visible links
>    1. mailto:jrh...@netconsonance.com
>    2. http://s2-d1.company.com/
>    3. mailto:puppet-users@googlegroups.com
>    4. mailto:puppet-users+unsubscr...@googlegroups.com
>    5. http://groups.google.com/group/puppet-users?hl=en

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to