Hi!
In our environment servers have admin user accounts created locally by
puppet. However, we also have accounts (which use the same user name but
different id) in LDAP/AD etc. This is not normally an issue as most
servers only use local authorisation.
However, in a couple of cases servers allow authorisation via other sources
(think - public file servers and the like). This is an issue when users
are created or deleted via puppet as puppet will not add a local user with
the same name as an LDAP one and will try to delete accounts that only
exist in read only LDAP.
I know one option would be to change local user names but the scope of this
change and institutional policy would make this difficult at best, so I am
looking for other solutions.
Another solution would be widespread use of LDAP etc, but this would put us
in an awkward position if we had to, say, fix an LDAP server not to mention
other dependancy and complexity issues, also not an option.
Not managing admin users via puppet is not a viable option.
Currently I use workarounds (generous name for them):
* Disable LDAP during commissioning (ie in a separate environment)meaning
that accounts are created fine, but if we need to add new staff etc then
this will cause issues.
* Alter userdel to first check if the UID is less than the smallest
LDAP/AD assigned UID
Another option I have considered would to replace the standard user type
usage to an exec that could do some checking, but even in it's simplest
form it would be messy. ie instead of
user {username: ensure=> present;
otheruser: ensure=>absent;}
something like:
exec{usercreate:command=>'/usr/sbin/createuser';
userdelete:command=>'/usr/sbin/deleteuser';}
file{/usr/sbin/createuser: content=>"for each member of an ldap
group/list, Check if user exists in /etc/passwd;if not, find next available
in range uid and create";
/usr/sbin/deleteuser: content=>"for each member of an ldap
group/list, check if user exists in /etc/passwd; if so delete by uid";}
Can anyone suggest a better solution?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/24e69eca-410e-4776-a668-47673306bf92%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.