Puppet users - Nov 2008 - Configuring LDAP clients with puppet

Hi.


I need to configure our puppet nodes as LDAP clients, and were wondering if
puppet has any build in support for this.

We''re running puppet v0.24.4 on RHEL 5 (and RHEL 4) servers.


Regards,
Kenneth Holter

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Kenneth Holter wrote:
> Hi.
>  
>  
> I need to configure our puppet nodes as LDAP clients, and were wondering 
> if puppet has any build in support for this.
Easy enough (if I understand correctly).  We do this here with a 
''ldap_client'' module that looks something like this:

class ldap_client {
   package {
     nss_ldap:
       schedule => daily,
       ensure   => latest;
     openldap:
       schedule => daily,
       ensure   => latest;
     openldap-clients:
       schedule => daily,
       ensure   => latest;
   }

   remotefile {
     "/etc/nsswitch.conf":
       source => "ldap_client/etc/nsswitch.conf",
       mode   => "644";
     "/etc/ssl/cacerts/gd-class2-root.crt":
       source  => "ldap_client/etc/ssl/cacerts/gd-class2-root.crt",
       mode => "644";
     "/etc/ssl/cacerts/gd_cross_intermediate.crt":
       source =>
"ldap_client/etc/ssl/cacerts/gd_cross_intermediate.crt",
       mode => "644";
     "/etc/ssl/cacerts/gd_intermediate.crt":
       source => "ldap_client/etc/ssl/cacerts/gd_intermediate.crt",
       mode => "644";
     "/etc/ssl/cacerts/sf_issuing.crt":
       source => "ldap_client/etc/ssl/cacerts/sf_issuing.crt",
       mode => "644";
     "/etc/ssl/cacerts/valicert_class2_root.crt":
       source =>
"ldap_client/etc/ssl/cacerts/valicert_class2_root.crt",
       mode => "644";
   }

   file {
     "/etc/ssl/cacerts":
       ensure => directory,
       mode   => 755,
       owner  => root,
       group  => root,
       before => Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
    "/etc/ssl/cacerts/219d9499":
       source => "/etc/ssl/cacerts/gd-class2-root.crt",
       require =>
Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
    "/etc/ssl/cacerts/97552d04":
       source => "/etc/ssl/cacerts/gd_intermediate.crt",
       require =>
Remotefile["/etc/ssl/cacerts/gd_intermediate.crt"];
    "/etc/ssl/cacerts/b737b221":
       source => "/etc/ssl/cacerts/sf_issuing.crt",
       require => Remotefile["/etc/ssl/cacerts/sf_issuing.crt"];
    "/etc/ssl/cacerts/bcdd5959":
       source => "/etc/ssl/cacerts/valicert_class2_root.crt",
       require =>
Remotefile["/etc/ssl/cacerts/valicert_class2_root.crt"];

   }
}

Cheers,
Ryan



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks for the reply.

As far as I can see you''re only hosting the nsswitch file, but
don''t you
also need to host/manage the ldap.conf file and a one or two files in
/etc/pam.d?

The "remotefile" resource type is new to me - is it available in
puppet
v.0.24.4?



On 11/19/08, Ryan Dooley <ryan.dooley@gmail.com>
wrote:
>
>
> Kenneth Holter wrote:
> > Hi.
> >
> >
> > I need to configure our puppet nodes as LDAP clients, and were
wondering
> > if puppet has any build in support for this.
>
> Easy enough (if I understand correctly).  We do this here with a
> ''ldap_client'' module that looks something like this:
>
> class ldap_client {
>   package {
>     nss_ldap:
>       schedule => daily,
>       ensure   => latest;
>     openldap:
>       schedule => daily,
>       ensure   => latest;
>     openldap-clients:
>       schedule => daily,
>       ensure   => latest;
>   }
>
>   remotefile {
>     "/etc/nsswitch.conf":
>       source => "ldap_client/etc/nsswitch.conf",
>       mode   => "644";
>     "/etc/ssl/cacerts/gd-class2-root.crt":
>       source  =>
"ldap_client/etc/ssl/cacerts/gd-class2-root.crt",
>       mode => "644";
>     "/etc/ssl/cacerts/gd_cross_intermediate.crt":
>       source =>
"ldap_client/etc/ssl/cacerts/gd_cross_intermediate.crt",
>       mode => "644";
>     "/etc/ssl/cacerts/gd_intermediate.crt":
>       source =>
"ldap_client/etc/ssl/cacerts/gd_intermediate.crt",
>       mode => "644";
>     "/etc/ssl/cacerts/sf_issuing.crt":
>       source => "ldap_client/etc/ssl/cacerts/sf_issuing.crt",
>       mode => "644";
>     "/etc/ssl/cacerts/valicert_class2_root.crt":
>       source =>
"ldap_client/etc/ssl/cacerts/valicert_class2_root.crt",
>       mode => "644";
>   }
>
>   file {
>     "/etc/ssl/cacerts":
>       ensure => directory,
>       mode   => 755,
>       owner  => root,
>       group  => root,
>       before =>
Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
>    "/etc/ssl/cacerts/219d9499":
>       source => "/etc/ssl/cacerts/gd-class2-root.crt",
>       require =>
Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
>    "/etc/ssl/cacerts/97552d04":
>       source => "/etc/ssl/cacerts/gd_intermediate.crt",
>       require =>
Remotefile["/etc/ssl/cacerts/gd_intermediate.crt"];
>    "/etc/ssl/cacerts/b737b221":
>       source => "/etc/ssl/cacerts/sf_issuing.crt",
>       require =>
Remotefile["/etc/ssl/cacerts/sf_issuing.crt"];
>    "/etc/ssl/cacerts/bcdd5959":
>       source => "/etc/ssl/cacerts/valicert_class2_root.crt",
>       require =>
Remotefile["/etc/ssl/cacerts/valicert_class2_root.crt"];
>
>   }
> }
>
> Cheers,
> Ryan
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Sorry for the late reply.  Yes, you need to manage /etc/ldap.conf and
probably /etc/ssl (or /etc/cacerts) depending on your setup.  I do
that a little differently at the moment (outside of puppet, though I
really should be using puppet).

remotefile is a class that I snarfed from
http://www.reductivelabs.com/trac/puppet/wiki/PuppetScalability

Cheers,
Ryan

On Thu, Nov 20, 2008 at 2:37 AM, Kenneth Holter <kenneho.ndu@gmail.com>
wrote:
> Thanks for the reply.
>
> As far as I can see you''re only hosting the nsswitch file, but
don''t you
> also need to host/manage the ldap.conf file and a one or two files in
> /etc/pam.d?
>
> The "remotefile" resource type is new to me - is it available in
puppet
> v.0.24.4?
>
>
> On 11/19/08, Ryan Dooley <ryan.dooley@gmail.com> wrote:
>>
>> Kenneth Holter wrote:
>> > Hi.
>> >
>> >
>> > I need to configure our puppet nodes as LDAP clients, and were
wondering
>> > if puppet has any build in support for this.
>>
>> Easy enough (if I understand correctly).  We do this here with a
>> ''ldap_client'' module that looks something like this:
>>
>> class ldap_client {
>>   package {
>>     nss_ldap:
>>       schedule => daily,
>>       ensure   => latest;
>>     openldap:
>>       schedule => daily,
>>       ensure   => latest;
>>     openldap-clients:
>>       schedule => daily,
>>       ensure   => latest;
>>   }
>>
>>   remotefile {
>>     "/etc/nsswitch.conf":
>>       source => "ldap_client/etc/nsswitch.conf",
>>       mode   => "644";
>>     "/etc/ssl/cacerts/gd-class2-root.crt":
>>       source  =>
"ldap_client/etc/ssl/cacerts/gd-class2-root.crt",
>>       mode => "644";
>>     "/etc/ssl/cacerts/gd_cross_intermediate.crt":
>>       source =>
"ldap_client/etc/ssl/cacerts/gd_cross_intermediate.crt",
>>       mode => "644";
>>     "/etc/ssl/cacerts/gd_intermediate.crt":
>>       source =>
"ldap_client/etc/ssl/cacerts/gd_intermediate.crt",
>>       mode => "644";
>>     "/etc/ssl/cacerts/sf_issuing.crt":
>>       source =>
"ldap_client/etc/ssl/cacerts/sf_issuing.crt",
>>       mode => "644";
>>     "/etc/ssl/cacerts/valicert_class2_root.crt":
>>       source =>
"ldap_client/etc/ssl/cacerts/valicert_class2_root.crt",
>>       mode => "644";
>>   }
>>
>>   file {
>>     "/etc/ssl/cacerts":
>>       ensure => directory,
>>       mode   => 755,
>>       owner  => root,
>>       group  => root,
>>       before =>
Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
>>    "/etc/ssl/cacerts/219d9499":
>>       source => "/etc/ssl/cacerts/gd-class2-root.crt",
>>       require =>
Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
>>    "/etc/ssl/cacerts/97552d04":
>>       source => "/etc/ssl/cacerts/gd_intermediate.crt",
>>       require =>
Remotefile["/etc/ssl/cacerts/gd_intermediate.crt"];
>>    "/etc/ssl/cacerts/b737b221":
>>       source => "/etc/ssl/cacerts/sf_issuing.crt",
>>       require =>
Remotefile["/etc/ssl/cacerts/sf_issuing.crt"];
>>    "/etc/ssl/cacerts/bcdd5959":
>>       source =>
"/etc/ssl/cacerts/valicert_class2_root.crt",
>>       require =>
Remotefile["/etc/ssl/cacerts/valicert_class2_root.crt"];
>>
>>   }
>> }
>>
>> Cheers,
>> Ryan
>>
>>
>> >>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Another good link for what you are asking for:
http://reductivelabs.com/trac/puppet/wiki/Recipes/LDAPClientNSSwitch

On Sat, Nov 22, 2008 at 8:06 PM, Ryan Dooley <ryan.dooley@gmail.com>
wrote:
> Sorry for the late reply.  Yes, you need to manage /etc/ldap.conf and
> probably /etc/ssl (or /etc/cacerts) depending on your setup.  I do
> that a little differently at the moment (outside of puppet, though I
> really should be using puppet).
>
> remotefile is a class that I snarfed from
> http://www.reductivelabs.com/trac/puppet/wiki/PuppetScalability
>
> Cheers,
> Ryan
>
> On Thu, Nov 20, 2008 at 2:37 AM, Kenneth Holter
<kenneho.ndu@gmail.com> wrote:
>> Thanks for the reply.
>>
>> As far as I can see you''re only hosting the nsswitch file, but
don''t you
>> also need to host/manage the ldap.conf file and a one or two files in
>> /etc/pam.d?
>>
>> The "remotefile" resource type is new to me - is it available
in puppet
>> v.0.24.4?
>>
>>
>> On 11/19/08, Ryan Dooley <ryan.dooley@gmail.com> wrote:
>>>
>>> Kenneth Holter wrote:
>>> > Hi.
>>> >
>>> >
>>> > I need to configure our puppet nodes as LDAP clients, and were
wondering
>>> > if puppet has any build in support for this.
>>>
>>> Easy enough (if I understand correctly).  We do this here with a
>>> ''ldap_client'' module that looks something like
this:
>>>
>>> class ldap_client {
>>>   package {
>>>     nss_ldap:
>>>       schedule => daily,
>>>       ensure   => latest;
>>>     openldap:
>>>       schedule => daily,
>>>       ensure   => latest;
>>>     openldap-clients:
>>>       schedule => daily,
>>>       ensure   => latest;
>>>   }
>>>
>>>   remotefile {
>>>     "/etc/nsswitch.conf":
>>>       source => "ldap_client/etc/nsswitch.conf",
>>>       mode   => "644";
>>>     "/etc/ssl/cacerts/gd-class2-root.crt":
>>>       source  =>
"ldap_client/etc/ssl/cacerts/gd-class2-root.crt",
>>>       mode => "644";
>>>     "/etc/ssl/cacerts/gd_cross_intermediate.crt":
>>>       source =>
"ldap_client/etc/ssl/cacerts/gd_cross_intermediate.crt",
>>>       mode => "644";
>>>     "/etc/ssl/cacerts/gd_intermediate.crt":
>>>       source =>
"ldap_client/etc/ssl/cacerts/gd_intermediate.crt",
>>>       mode => "644";
>>>     "/etc/ssl/cacerts/sf_issuing.crt":
>>>       source =>
"ldap_client/etc/ssl/cacerts/sf_issuing.crt",
>>>       mode => "644";
>>>     "/etc/ssl/cacerts/valicert_class2_root.crt":
>>>       source =>
"ldap_client/etc/ssl/cacerts/valicert_class2_root.crt",
>>>       mode => "644";
>>>   }
>>>
>>>   file {
>>>     "/etc/ssl/cacerts":
>>>       ensure => directory,
>>>       mode   => 755,
>>>       owner  => root,
>>>       group  => root,
>>>       before =>
Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
>>>    "/etc/ssl/cacerts/219d9499":
>>>       source => "/etc/ssl/cacerts/gd-class2-root.crt",
>>>       require =>
Remotefile["/etc/ssl/cacerts/gd-class2-root.crt"];
>>>    "/etc/ssl/cacerts/97552d04":
>>>       source =>
"/etc/ssl/cacerts/gd_intermediate.crt",
>>>       require =>
Remotefile["/etc/ssl/cacerts/gd_intermediate.crt"];
>>>    "/etc/ssl/cacerts/b737b221":
>>>       source => "/etc/ssl/cacerts/sf_issuing.crt",
>>>       require =>
Remotefile["/etc/ssl/cacerts/sf_issuing.crt"];
>>>    "/etc/ssl/cacerts/bcdd5959":
>>>       source =>
"/etc/ssl/cacerts/valicert_class2_root.crt",
>>>       require =>
Remotefile["/etc/ssl/cacerts/valicert_class2_root.crt"];
>>>
>>>   }
>>> }
>>>
>>> Cheers,
>>> Ryan
>>>
>>>
>>> >>>
>>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---