Puppeteers,
One of the more ... interesting components of our configuration has
been how we''re handling users. We don''t have an LDAP solution
(yet),
so we''re using Puppet to handle users. This isn''t overly
complex, at
least at first glance. We have three types of users.
* System admins
* Web developers
* R&D developer
The system admins have userids on all systems, of course, and they''re
in group ''wheel''. Web developers have userids on the web and
database
systems, with htdocs and mysql primary group set as applicable. The
R&D developer is the ''web developer'' for only a few
systems, but the
web developer team doesn''t work on those systems, so he has a separate
userid.
Initially, I set out to handle this with the virt_all_users class from
the wiki:PuppetBestPractice page and some bits from
wiki:Authorized_keysRecipe. I encountered a bug in the realize
function (bug id #787, fixed in 0.24.0), and instead rewrote with
normal resources in classes only included on the systems where those
users were needed. This was ''working'' until we needed to have
all the
web developers on the database systems, but with group mysql instead
of htdocs.
There was a post to the list recently by a fellow who isn''t using LDAP
for managing users either due to security requirements in his
environment. This seemed to be a good start for him, so I thought I''d
share with the community at large. I didn''t know where best to put
this on the wiki, so if anyone has a suggestion, let me know and I''ll
post it.
There''s a couple extra users and groups that are specific to our
configuration. I''ve left those in as examples. Note that the R&D
developer''s userid hasn''t been added, but that would follow
the ''web''
class as an example for usage.
Any thoughts or feedback? Yes I know. Use LDAP. Not yet, but eventually ;).
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users
