Puppet users - Sep 2006 - FQDN nodes in LDAP

Hi,

I''ve set up puppet to get node definitions from LDAP as per the docs.

It''s been working well, but I now want to use fully qualified domain
names instead of simple domain-less hostnames for the node name.

I replaced the ou=Hosts entries with equivalent ones using FQDNs,
restarted the puppetmasterd, and tried a "puppetd --test" from one of
the nodes.  However, I get the following error message:

  info: Allowing batch1.phy.bnl.gov(130.199.22.134) trusted access to
puppetmaster.getconfig
  debug: Our client is remote
  err: Could not find configuration for batch1.phy.bnl.gov or batch1 or default

On the puppetmasterd server I can see the correct LDAP entry for this
node via "ldapsearch":

--------------------------------------

home:/etc/ldap# ldapsearch -x cn=batch1.phy.bnl.gov
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=batch1.phy.bnl.gov
# requesting: ALL
#

# batch1.phy.bnl.gov, Hosts, phy.bnl.gov
dn: cn=batch1.phy.bnl.gov,ou=Hosts,dc=phy,dc=bnl,dc=gov
objectClass: device
objectClass: ipHost
objectClass: puppetClient
objectClass: top
cn: batch1.phy.bnl.gov
ipHostNumber: 130.199.22.134
puppetclass: basicsystem
puppetclass: cupsserver
puppetclass: ldapclient
parentnode: basenode

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

--------------------------------------


I think I have a hint as to the actual problem.  I tried to add the
above node definition directly in my site.pp like:

  node batch1.phy.bnl.gov {   # <-- line 11
    include basicsystem
    include cupsserver
    include ldapclient
  }

Restarting the puppetmasterd gives:

  Syntax error at ''.'' in file /etc/puppet/manifests/site.pp at
line 11

So, "."s are bad.  I then try quoting the node name:

  node ''batch1.phy.bnl.gov'' {
    include basicsystem
    include cupsserver
    include ldapclient
  }

And, I can restart the master and perform a successful test with the
client on this node.  

I then tried to comment this out of site.pp and replace the LDAP entry
with one like:

dn: cn=''batch1.phy.bnl.gov'',ou=Hosts,dc=phy,dc=bnl,dc=gov
objectClass: device
objectClass: ipHost
objectClass: puppetClient
objectClass: top
cn: ''batch1.phy.bnl.gov''
ipHostNumber: 130.199.22.134
puppetclass: basicsystem
puppetclass: cupsserver
puppetclass: ldapclient
parentnode: basenode

Restart puppetmasterd and test the client but I still get:

  err: Could not find configuration for batch1.phy.bnl.gov or batch1 or default


Am I hitting a bug, or is there something I''m doing wrong?  

Thanks,
-Brett.

On Sep 6, 2006, at 10:27 AM, Brett Viren wrote:
> Hi,
>
> I''ve set up puppet to get node definitions from LDAP as per the
docs.
>
> It''s been working well, but I now want to use fully qualified
domain
> names instead of simple domain-less hostnames for the node name.
>
> I replaced the ou=Hosts entries with equivalent ones using FQDNs,
> restarted the puppetmasterd, and tried a "puppetd --test" from
one of
> the nodes.  However, I get the following error message:
>
>   info: Allowing batch1.phy.bnl.gov(130.199.22.134) trusted access  
> to puppetmaster.getconfig
>   debug: Our client is remote
>   err: Could not find configuration for batch1.phy.bnl.gov or  
> batch1 or default
[SNIP]
> Am I hitting a bug, or is there something I''m doing wrong?
Puppet currently has no provision for FQDNs within LDAP.

Normally your fqdn would be determined by the path within the LDAP  
repo; e.g., cn=myhost,ou=Hosts,dc=madstop,dc=com would translate to  
myhost.madstop.com.  However, I do not have the code in place to go  
the other direction:  To look for that kind of path based on the  
FQDN.  At this point, I just look for ''(&(objectclass=puppetclient)
(cn=$host))'' within the ldap repository.

In looking at my code, though, I''m realizing that there might be a  
bug there after all.

I''ll look into it, and see what I can do.  If you want FQDNs in LDAP,  
though, the DN => FQDN translation is the best way to go, so feel  
free to submit a feature request for it.

-- 
Luke Kanies
http://madstop.com | http://reductivelabs.com | 615-594-8199

Luke Kanies <luke@madstop.com> writes:
> Puppet currently has no provision for FQDNs within LDAP.
>
> Normally your fqdn would be determined by the path within the LDAP  
> repo; e.g., cn=myhost,ou=Hosts,dc=madstop,dc=com would translate to  
> myhost.madstop.com.  
I don''t think that would always work.  What if you have two separate
groups in the same domain wanting separate LDAP/puppet setups.
> However, I do not have the code in place to go  
> the other direction:  To look for that kind of path based on the  
> FQDN.  At this point, I just look for
''(&(objectclass=puppetclient)
> (cn=$host))'' within the ldap repository.
How about an additional lookup based on IP number.  There is an
ipHostNumber in the nis.schema.

The LDAP server will need to index ipHostNumber or lookups will be dog
slow, but that''s not such a harsh requirement.
> In looking at my code, though, I''m realizing that there might be a
> bug there after all.
>
> I''ll look into it, and see what I can do.  If you want FQDNs in
LDAP,
> though, the DN => FQDN translation is the best way to go, so feel  
> free to submit a feature request for it.
Okay.  Should any further discussion be caried out there or here on
the mailing list?

-Brett.

On Sep 13, 2006, at 1:53 PM, Brett Viren wrote:
> Luke Kanies <luke@madstop.com> writes:
>
>> Puppet currently has no provision for FQDNs within LDAP.
>>
>> Normally your fqdn would be determined by the path within the LDAP
>> repo; e.g., cn=myhost,ou=Hosts,dc=madstop,dc=com would translate to
>> myhost.madstop.com.
>
> I don''t think that would always work.  What if you have two
separate
> groups in the same domain wanting separate LDAP/puppet setups.
Well, as long as the two groups manage different machines, it should  
be pretty straightforward.

However, I''ve just committed a fix to your basic problem:  Puppet  
will now search for both the short name and the long name in LDAP.   
This should enable the form you want, where you set ''cn'' as
the FQDN.

It''d be great if you could test this from SVN, since not many people  
are using LDAP and you''d clearly be the first person using
FQDN''s in
LDAP.
> How about an additional lookup based on IP number.  There is an
> ipHostNumber in the nis.schema.
>
> The LDAP server will need to index ipHostNumber or lookups will be dog
> slow, but that''s not such a harsh requirement.
Feel free to submit it as a feature request, but I don''t expect many  
to want this feature so it''d be pretty low on the priority list.   
OTOH, it should be relatively easy to implement if it''s something  
that means a lot to you, and I''d be glad to accept a patch.
> Okay.  Should any further discussion be caried out there or here on
> the mailing list?
No, not necessarily.  Anything that will be specifically pertinent to  
adding the feature should take place in the ticket, but otherwise, nah.

I expect I''ve provided the feature you want, though, since it was a  
bug that it didn''t already work that way.

-- 
Luke Kanies
http://madstop.com | http://reductivelabs.com | 615-594-8199

Luke Kanies <luke@madstop.com> writes:
> I expect I''ve provided the feature you want, though, since it was
a
> bug that it didn''t already work that way.
Thanks Luke!  I''ll give it a try.

-Brett.