I use nss-pam-ldapd and pam_ldap depending on the system, using an ldap filter
to allow only certain groups per system. I prefer nss-pam-ldapd.
nss-pam-ldapd:
CentOS 6
Debian 6
Ubuntu 10.04
pam_ldap:
CentOS 5
FreeBSD 9
(Solaris is more like pam_ldap in configuration, but fairly unique.)
The manifests to deal with the above are essentially OS-specific.
On Thu, Jul 12, 2012 at 05:52:24PM +1000, Denmat wrote:
> Puppet users and groups are fiddly. My current not implemented thinking is
> to use ldap and manage pam_groups via puppet on the hosts to get the
> granularity.
> More thinking out loud than anything else.
> Den
>
> On 12/07/2012, at 6:03, Jo Rhett <[1]jrh...@netconsonance.com> wrote:
>
> I'm fighting with a ticklish issue. We have some groups and users that
> only belong on some systems. So we made all users virtual and then
> realize them in classes specific to those system types. This works
> quite well for the users, but not for the groups. When you specify a
> user, you have to list all the groups they are in.
> groups => ['support',ops','dev'],
> Obviously some groups aren't realized on all systems, so this produces
> an error when usermod is run.
> '/usr/sbin/usermod -G support,ops,dev jrhett' returned 6:
> usermod: unknown group dev
> usermod: unknown group dev
> So I tried to get smarter, and put logic to add the group to each member
> under the appropriate class
> Class users::dev inherits users {
> User['jrhett'] { groups +> ['dev'] }
> }
> This works� almost. It works for all instances where the user is only
> subclassed once. But if I do the same technique in multiple classes I
> get
> err: Could not retrieve catalog from remote server: Error 400 on SERVER:
> Parameter 'groups' is already set on User_and_key[jrhett] by
> #<Puppet::Resource::Type:0x7f4feed2d828> at
> /etc/puppet/modules/users/manifests/support.pp:22; cannot redefine at
> /etc/puppet/modules/users/manifests/dev.pp:27 on node
> [2]s2-d1.company.com
> So how can this be achieved, short of using an exec with an unless doing
> another exec to determine if the group exists?
> --
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet
> projects.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To post to this group, send email to [3]puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> [4]puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> [5]http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
>
> Visible links
> 1. mailto:jrh...@netconsonance.com
> 2. http://s2-d1.company.com/
> 3. mailto:puppet-users@googlegroups.com
> 4. mailto:puppet-users+unsubscr...@googlegroups.com
> 5. http://groups.google.com/group/puppet-users?hl=en
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
