On August 14, 2019 at 9:01 AM, jcbollinger <john.bollin...@stjude.org> wrote: Why would you not want to write to the data store backing your User resources? If you cannot write, then you cannot manage resources -- neither create new ones nor modify existing ones nor remove unwanted ones. These things are what User resources are for. Without being able to write, the most you could do is use dependencies on User resources to cause other resources not to be applied in the event that a User configuration does not match your expectation.
If you simply want to configure systems to authenticate users against an LDAP directory and draw their information from there, then User resources are the wrong approach. For Linux, at least, you may want to look into configuring systems for LDAP itself, or for SSSD. You will probably want to manage nsswitch.conf, too. There are available modules for all these things. If you're looking to manage system-level access control, too, then you probably still want to come from that direction. In my own house, for example, I authenticate Linux users against institutional Active Directory with use of SSSD (the managed machines are domain-joined). I manage which users are permitted to log in to which machines through SSSD configuration, not User resources. That approach can work for other data sources, too -- in particular, SSSD supposedly can work (directly) with LDAP directories, though I've never configured it that way. John Hi, John Your response makes perfect sense. I am planning to use FreeIPA/Red Hat Identity Manager which uses SSSD to do everything you describe for your house. I want to be able to manage aspects of the user home directories for hardening purposes - permissions, no dot-netrc files, that sort of thing. In your experience, is it possible for an LDAP-authenticating login to have a user resource at all ? If not, I will have to consider a shotgun approach to the home-dir management. Thanks for the information ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/23d54e89-0106-43eb-812a-50c450d95fa2%40me.com.
