We already have about 300 workstations under puppet control, but we may need to scale this into the thousands as we expand our puppet footprint globally and into the datacenter. As a result, I am trying to move from using nodes.pp to an LDAP directory. I currently have enhost working on many machines with no problem, but I can''t seem to get puppet to find my nodes. I did install the schema, which added the puppetClient object class, and the parentnode and puppetclass attributes. I can also use phpldapadmin to add hosts in the Hosts ou, assign it the puppetClient object class, and define the puppetclass attribute. Unfortunately I only seem to get this on the server (puppetmasterd -v --debug): err: Could not find node ''jpruitt-lnx.<domain>.<tld>'' And this on the client (puppetd -v -o --no-daemonize): err: Could not retrieve catalog: Could not find default node or by name with ''jpruitt-lnx.<domain>.<tld>, jpruitt-lnx'' on node jpruitt- lnx I have defined the node_terminus = ldap, ldapserver, and ldapbase attributes. I have tried including an ldapuser and ldappassword definition in my puppetmasterd.conf, just in case, and I have even tried defining the ldapstring: (&(objectclass=puppetClientt)(cn=%s)) I don''t see any indication of ldap in the debug output of puppetmasterd, but if I provide a mangled ldapstring I can get it to give me the following error, so it seems like it is at least trying to query ldap: warning: Retrying LDAP connection err: LDAP Search failed: no result returned by search Is there a better method for debugging ldap node issues? Am I correct in assuming that enhost and puppet ldap nodes should be able to work well together, even if they are both object classes of the same host? Any ideas? - Thanks Jeremy Pruitt Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
whatis you host''s hostname and the DN in the ldap ? if hostname is hostname+domainname,when enhost join it to ldap,will change to "hostname+Hosts+domainname". so the puppetmaster can''t find the hostname from ldap. I handly add host in ldap or change the enhost binary ,drop the ou=Hosts. then the puppetmaster can sucessfuly fond this node from ldap. my english is so bad,and no time to check,i hope you can understand what I say before. On Apr 10, 10:10 am, "jpru...@juniper.net" <jeremypru...@gmail.com> wrote:> We already have about 300 workstations under puppet control, but we > may need to scale this into the thousands as we expand our puppet > footprint globally and into the datacenter. As a result, I am trying > to move from using nodes.pp to an LDAP directory. > > I currently have enhost working on many machines with no problem, but > I can''t seem to get puppet to find my nodes. I did install the schema, > which added the puppetClient object class, and the parentnode and > puppetclass attributes. I can also use phpldapadmin to add hosts in > the Hosts ou, assign it the puppetClient object class, and define the > puppetclass attribute. > > Unfortunately I only seem to get this on the server (puppetmasterd -v > --debug): > > err: Could not find node ''jpruitt-lnx.<domain>.<tld>'' > > And this on the client (puppetd -v -o --no-daemonize): > > err: Could not retrieve catalog: Could not find default node or by > name with ''jpruitt-lnx.<domain>.<tld>, jpruitt-lnx'' on node jpruitt- > lnx > > I have defined the node_terminus = ldap, ldapserver, and ldapbase > attributes. I have tried including an ldapuser and ldappassword > definition in my puppetmasterd.conf, just in case, and I have even > tried defining the ldapstring: > > (&(objectclass=puppetClientt)(cn=%s)) > > I don''t see any indication of ldap in the debug output of > puppetmasterd, but if I provide a mangled ldapstring I can get it to > give me the following error, so it seems like it is at least trying to > query ldap: > > warning: Retrying LDAP connection > err: LDAP Search failed: no result returned by search > > Is there a better method for debugging ldap node issues? Am I correct > in assuming that enhost and puppet ldap nodes should be able to work > well together, even if they are both object classes of the same host? > Any ideas? > > - Thanks > > Jeremy Pruitt > > Jeremy--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-10 03:21 UTC
[Puppet Users] Re: Having trouble with ldapnodes
First of all, thank you very much for your response. Are you saying that puppet doesn''t look in an ou for the host? I did set the ldapbase to be ou=Hosts,dc=<domain>,dc=<tld> and thought that puppet would just search for cn=jpruitt-lnx in that ou. Is that not correct? How can I get puppet to look for the cn in the Hosts ou? I''d much prefer to keep things in the Hosts ou than in the root. - Jeremy On Apr 9, 7:37 pm, huangmingyou <ther...@gmail.com> wrote:> whatis you host''s hostname and the DN in the ldap ? > if hostname is hostname+domainname,when enhost join it to ldap,will > change to "hostname+Hosts+domainname". > so the puppetmaster can''t find the hostname from ldap. > > I handly add host in ldap or change the enhost binary ,drop the > ou=Hosts. then the puppetmaster can sucessfuly fond this node from > ldap. > > my english is so bad,and no time to check,i hope you can understand > what I say before. > > On Apr 10, 10:10 am, "jpru...@juniper.net" <jeremypru...@gmail.com> > wrote: > > > We already have about 300 workstations under puppet control, but we > > may need to scale this into the thousands as we expand our puppet > > footprint globally and into the datacenter. As a result, I am trying > > to move from using nodes.pp to an LDAP directory. > > > I currently have enhost working on many machines with no problem, but > > I can''t seem to get puppet to find my nodes. I did install the schema, > > which added the puppetClient object class, and the parentnode and > > puppetclass attributes. I can also use phpldapadmin to add hosts in > > the Hosts ou, assign it the puppetClient object class, and define the > > puppetclass attribute. > > > Unfortunately I only seem to get this on the server (puppetmasterd -v > > --debug): > > > err: Could not find node ''jpruitt-lnx.<domain>.<tld>'' > > > And this on the client (puppetd -v -o --no-daemonize): > > > err: Could not retrieve catalog: Could not find default node or by > > name with ''jpruitt-lnx.<domain>.<tld>, jpruitt-lnx'' on node jpruitt- > > lnx > > > I have defined the node_terminus = ldap, ldapserver, and ldapbase > > attributes. I have tried including an ldapuser and ldappassword > > definition in my puppetmasterd.conf, just in case, and I have even > > tried defining the ldapstring: > > > (&(objectclass=puppetClientt)(cn=%s)) > > > I don''t see any indication of ldap in the debug output of > > puppetmasterd, but if I provide a mangled ldapstring I can get it to > > give me the following error, so it seems like it is at least trying to > > query ldap: > > > warning: Retrying LDAP connection > > err: LDAP Search failed: no result returned by search > > > Is there a better method for debugging ldap node issues? Am I correct > > in assuming that enhost and puppet ldap nodes should be able to work > > well together, even if they are both object classes of the same host? > > Any ideas? > > > - Thanks > > > Jeremy Pruitt > > > Jeremy--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 9, 2008, at 10:21 PM, jpruitt@juniper.net wrote:> First of all, thank you very much for your response. > > Are you saying that puppet doesn''t look in an ou for the host? I did > set the ldapbase to be ou=Hosts,dc=<domain>,dc=<tld> and thought that > puppet would just search for cn=jpruitt-lnx in that ou. Is that not > correct? How can I get puppet to look for the cn in the Hosts ou? I''d > much prefer to keep things in the Hosts ou than in the root.Puppet (and enhost) *definitely* use an ou. Specifically, they both use ''ou=Hosts'' in whatever base you''ve defined. -- A lot of people mistake a short memory for a clear conscience. -- Doug Larson --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 9, 2008, at 9:10 PM, jpruitt@juniper.net wrote:> Is there a better method for debugging ldap node issues? Am I correct > in assuming that enhost and puppet ldap nodes should be able to work > well together, even if they are both object classes of the same host? > Any ideas?This whole enhost resurrection is a bit of a surprise to me; I haven''t heard of anyone using it in a couple of years, it seems, and now multiple people are using it. I certainly haven''t changed how I think about ldap in a long time, so I am confident they two schemas will work well together, but I haven''t done so myself. Really, the best thing to do is to look in the logs of your ldap server to make sure that the searches make sense and that they''re successfully finding what you think they are. Mostly, tho: What do your nodes actually look like in ldap? The ldap node support is pretty forgiving in how the node is configured, but maybe there''s something obvious. -- This space intentionally has nothing but text explaining why this space has nothing but text explaining that this space would otherwise have been left blank, and would otherwise have been left blank. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I am not so clearly about this. so if a hostname is "host1.example.com",then the puppetmaster will search cn=host1,ou=Hosts,dc=example,dc=com in the ldap server ? before, I think will search cn=host1,dc=example,dc=com. On Apr 10, 11:30 am, Luke Kanies <l...@madstop.com> wrote:> On Apr 9, 2008, at 10:21 PM, jpru...@juniper.net wrote: > > > First of all, thank you very much for your response. > > > Are you saying that puppet doesn''t look in an ou for the host? I did > > set the ldapbase to be ou=Hosts,dc=<domain>,dc=<tld> and thought that > > puppet would just search for cn=jpruitt-lnx in that ou. Is that not > > correct? How can I get puppet to look for the cn in the Hosts ou? I''d > > much prefer to keep things in the Hosts ou than in the root. > > Puppet (and enhost) *definitely* use an ou. Specifically, they both > use ''ou=Hosts'' in whatever base you''ve defined. > > -- > A lot of people mistake a short memory for a clear conscience. > -- Doug Larson > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 9, 2008, at 10:44 PM, huangmingyou wrote:> I am not so clearly about this. > so if a hostname is "host1.example.com",then the puppetmaster will > search cn=host1,ou=Hosts,dc=example,dc=com in the ldap server ? > before, I think will search cn=host1,dc=example,dc=com.Yes; nearly all ldap architectures these days use an ou for different types, so users are at ou=People and hosts are at ou=Hosts, for instance. Hosts always use ''cn'' for the rdn. -- A Chemical Limerick: A mosquito cried out in pain: "A chemist has poisoned my brain!" The cause of his sorrow was para-dichloro diphenyltrichloroethane -- Dr. D. D. Perrin --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-10 05:04 UTC
[Puppet Users] Re: Having trouble with ldapnodes
OK, good. That''s how I expected it to work. Here''s a dump of an example host, but I''ll be sure to check the server logs out tomorrow: dn: cn=jpruitt-lnx,ou=Hosts,dc=example,dc=com cn: jpruitt-lnx uniqueId: 007f0100 operatingSystemRelease: 8 hardwareModel: i686 objectClass: top objectClass: device objectClass: ipHost objectClass: enHost objectClass: puppetClient hardwareISA: i686 ipHostNumber: <removed> sshrsakey: ... operatingSystem: Fedora macAddress: <removed> sshdsakey: ... parentnode: workstation puppetclass: test_class - Thanks for your help! :) On Apr 9, 8:51 pm, Luke Kanies <l...@madstop.com> wrote:> On Apr 9, 2008, at 10:44 PM, huangmingyou wrote: > > > I am not so clearly about this. > > so if a hostname is "host1.example.com",then the puppetmaster will > > search cn=host1,ou=Hosts,dc=example,dc=com in the ldap server ? > > before, I think will search cn=host1,dc=example,dc=com. > > Yes; nearly all ldap architectures these days use an ou for different > types, so users are at ou=People and hosts are at ou=Hosts, for > instance. > > Hosts always use ''cn'' for the rdn. > > -- > A Chemical Limerick: > A mosquito cried out in pain: > "A chemist has poisoned my brain!" > The cause of his sorrow > was para-dichloro > diphenyltrichloroethane > -- Dr. D. D. Perrin > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 10, 2008, at 12:04 AM, jpruitt@juniper.net wrote:> OK, good. That''s how I expected it to work. Here''s a dump of an > example host, but I''ll be sure to check the server logs out tomorrow: > > dn: cn=jpruitt-lnx,ou=Hosts,dc=example,dc=com > cn: jpruitt-lnx > uniqueId: 007f0100 > operatingSystemRelease: 8 > hardwareModel: i686 > objectClass: top > objectClass: device > objectClass: ipHost > objectClass: enHost > objectClass: puppetClient > hardwareISA: i686 > ipHostNumber: <removed> > sshrsakey: ... > operatingSystem: Fedora > macAddress: <removed> > sshdsakey: ... > parentnode: workstation > puppetclass: test_classThat should work as far as I can tell. About the only thing I can think of to do is try printf-style debugging in the ldap source. BTW, what version is this? -- Always read stuff that will make you look good if you die in the middle of it. -- P. J. O''Rourke --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-10 05:15 UTC
[Puppet Users] Re: Having trouble with ldapnodes
I have been running version 0.24.4 on the server, but I just downgraded to 0.24.2 a couple of hours ago hoping to get a different result. Wasn''t there a schema change in 0.24.3? I was concerned that might be a problem and hoped the move back to 0.24.2 might help. The puppetd client is 0.24.4 - Jeremy On Apr 9, 10:09 pm, Luke Kanies <l...@madstop.com> wrote:> On Apr 10, 2008, at 12:04 AM, jpru...@juniper.net wrote: > > > > > OK, good. That''s how I expected it to work. Here''s a dump of an > > example host, but I''ll be sure to check the server logs out tomorrow: > > > dn: cn=jpruitt-lnx,ou=Hosts,dc=example,dc=com > > cn: jpruitt-lnx > > uniqueId: 007f0100 > > operatingSystemRelease: 8 > > hardwareModel: i686 > > objectClass: top > > objectClass: device > > objectClass: ipHost > > objectClass: enHost > > objectClass: puppetClient > > hardwareISA: i686 > > ipHostNumber: <removed> > > sshrsakey: ... > > operatingSystem: Fedora > > macAddress: <removed> > > sshdsakey: ... > > parentnode: workstation > > puppetclass: test_class > > That should work as far as I can tell. > > About the only thing I can think of to do is try printf-style > debugging in the ldap source. > > BTW, what version is this? > > -- > Always read stuff that will make you look good if you die in the > middle of it. -- P. J. O''Rourke > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 10, 2008, at 12:15 AM, jpruitt@juniper.net wrote:> I have been running version 0.24.4 on the server, but I just > downgraded to 0.24.2 a couple of hours ago hoping to get a different > result. Wasn''t there a schema change in 0.24.3? I was concerned that > might be a problem and hoped the move back to 0.24.2 might help. The > puppetd client is 0.24.4Then just go into indirectory/node/ldap.rb and see what you can see, I guess. It''s not a lot of code; the base class is at indirectory/ ldap.rb, and between the two of them you should be able to get enough information. Have you verified from your ldap server logs that the right entry is getting returned? -- An expert is a person who has made all the mistakes that can be made in a very narrow field. - Niels Bohr --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-10 07:30 UTC
[Puppet Users] Re: Having trouble with ldapnodes
OK, been poking around for a bit without much luck. I also don''t have access to the logs on the server as it is not under puppet control and therefore the sudoers file is out of whack (and not my box). :) I''ll get the necessary access tomorrow to look at the server. Oddly enough, this works just fine from my puppet server: ldapsearch -x -b "ou=Hosts,dc=example,dc=com" -h <fqdn_of_ldap_server> ''(&(objectclass=puppetClient)(cn=jpruitt-lnx))'' as does enhost in populating it. Strange. - Jeremy On Apr 9, 10:24 pm, Luke Kanies <l...@madstop.com> wrote:> On Apr 10, 2008, at 12:15 AM, jpru...@juniper.net wrote: > > > I have been running version 0.24.4 on the server, but I just > > downgraded to 0.24.2 a couple of hours ago hoping to get a different > > result. Wasn''t there a schema change in 0.24.3? I was concerned that > > might be a problem and hoped the move back to 0.24.2 might help. The > > puppetd client is 0.24.4 > > Then just go into indirectory/node/ldap.rb and see what you can see, I > guess. It''s not a lot of code; the base class is at indirectory/ > ldap.rb, and between the two of them you should be able to get enough > information. > > Have you verified from your ldap server logs that the right entry is > getting returned? > > -- > An expert is a person who has made all the mistakes that can be made > in a very narrow field. - Niels Bohr > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
It might well be a problem with your ldap server. Things to do on the ldap server check ldap server logs. Can you turn up logging levels on the ldap server. You want to be checking for a successful connection. The actual query being made and the result returned. Do your acls allow anonymous binds? Hope this helps. Aaron On 10 Apr, 06:24, Luke Kanies <l...@madstop.com> wrote:> On Apr 10, 2008, at 12:15 AM, jpru...@juniper.net wrote: > > > I have been running version 0.24.4 on the server, but I just > > downgraded to 0.24.2 a couple of hours ago hoping to get a different > > result. Wasn''t there a schema change in 0.24.3? I was concerned that > > might be a problem and hoped the move back to 0.24.2 might help. The > > puppetd client is 0.24.4 > > Then just go into indirectory/node/ldap.rb and see what you can see, I > guess. It''s not a lot of code; the base class is at indirectory/ > ldap.rb, and between the two of them you should be able to get enough > information. > > Have you verified from your ldap server logs that the right entry is > getting returned? > > -- > An expert is a person who has made all the mistakes that can be made > in a very narrow field. - Niels Bohr > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-10 07:48 UTC
[Puppet Users] Re: Having trouble with ldapnodes
Ya, I will check the logs tomorrow when I can get access to them as the LDAP server is not under my direct control. Anonymous binds must be working as the ldapsearch command I mentioned above worked without a bind DN. - Thanks! On Apr 10, 12:42 am, Aaron <busuk...@gmail.com> wrote:> It might well be a problem with your ldap server. > Things to do on the ldap server > check ldap server logs. > Can you turn up logging levels on the ldap server. You want to be > checking for a successful connection. The actual query being made and > the result returned. > Do your acls allow anonymous binds? > > Hope this helps. > > Aaron > > On 10 Apr, 06:24, Luke Kanies <l...@madstop.com> wrote: > > > On Apr 10, 2008, at 12:15 AM, jpru...@juniper.net wrote: > > > > I have been running version 0.24.4 on the server, but I just > > > downgraded to 0.24.2 a couple of hours ago hoping to get a different > > > result. Wasn''t there a schema change in 0.24.3? I was concerned that > > > might be a problem and hoped the move back to 0.24.2 might help. The > > > puppetd client is 0.24.4 > > > Then just go into indirectory/node/ldap.rb and see what you can see, I > > guess. It''s not a lot of code; the base class is at indirectory/ > > ldap.rb, and between the two of them you should be able to get enough > > information. > > > Have you verified from your ldap server logs that the right entry is > > getting returned? > > > -- > > An expert is a person who has made all the mistakes that can be made > > in a very narrow field. - Niels Bohr > > --------------------------------------------------------------------- > > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
If you have the time you could always capture the traffic using tcpdump :-) On 10 Apr, 08:48, "jpru...@juniper.net" <jeremypru...@gmail.com> wrote:> Ya, I will check the logs tomorrow when I can get access to them as > the LDAP server is not under my direct control. Anonymous binds must > be working as the ldapsearch command I mentioned above worked without > a bind DN. > > - Thanks! > > On Apr 10, 12:42 am, Aaron <busuk...@gmail.com> wrote: > > > It might well be a problem with your ldap server. > > Things to do on the ldap server > > check ldap server logs. > > Can you turn up logging levels on the ldap server. You want to be > > checking for a successful connection. The actual query being made and > > the result returned. > > Do your acls allow anonymous binds? > > > Hope this helps. > > > Aaron > > > On 10 Apr, 06:24, Luke Kanies <l...@madstop.com> wrote: > > > > On Apr 10, 2008, at 12:15 AM, jpru...@juniper.net wrote: > > > > > I have been running version 0.24.4 on the server, but I just > > > > downgraded to 0.24.2 a couple of hours ago hoping to get a different > > > > result. Wasn''t there a schema change in 0.24.3? I was concerned that > > > > might be a problem and hoped the move back to 0.24.2 might help. The > > > > puppetd client is 0.24.4 > > > > Then just go into indirectory/node/ldap.rb and see what you can see, I > > > guess. It''s not a lot of code; the base class is at indirectory/ > > > ldap.rb, and between the two of them you should be able to get enough > > > information. > > > > Have you verified from your ldap server logs that the right entry is > > > getting returned? > > > > -- > > > An expert is a person who has made all the mistakes that can be made > > > in a very narrow field. - Niels Bohr > > > --------------------------------------------------------------------- > > > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-11 22:15 UTC
[Puppet Users] Re: Having trouble with ldapnodes
Here''s the OpenLDAP logs for the puppet attempt (which doesn''t work): Apr 11 14:23:30 <ldap_server_name> slapd[2765]: conn=138767 op=3 SRCH base="ou=Hosts,dc=juniper,dc=net" scope=2 deref=0 filter="(&(objectClass=puppetClient)(cn=jpruitt-lnx.<domain>.<tld>))" Apr 11 14:23:32 <ldap_server_name> slapd[2765]: <bdb_equality_candidates: (cn) index_param failed (18) Apr 11 14:23:32 <ldap_server_name> slapd[2765]: conn=138767 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text And here''s the log for the ldapsearch command (which does work): Apr 11 14:34:07 <ldap_server_name> slapd[2765]: conn=139797 op=1 SRCH base="ou=Hosts,dc=juniper,dc=net" scope=2 deref=0 filter="(&(objectClass=puppetClient)(cn=jpruitt-lnx))" Apr 11 14:34:07 <ldap_server_name> slapd[2765]: <bdb_equality_candidates: (cn) index_param failed (18) Apr 11 14:34:07 <ldap_server_name> slapd[2765]: conn=139797 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text I also notice that puppet only queries for my fqdn, and my nodes are all defined without the domain piece. I did try adding a jpruitt- lnx.<domain>.<tld> node but it still couldn''t find it. That did cause the nentries to equal 1, so once I added the fqdn node OpenLDAP finds it, but puppet still says: info: Caching node rbell-f8.jnpr.net err: Could not find default node or by name with ''jpruitt- lnx.<domain>.<tld>, jpruitt-lnx'' on node jpruitt-lnx.<domain>.<tld> Any ideas? On Apr 10, 12:48 am, "jpru...@juniper.net" <jeremypru...@gmail.com> wrote:> Ya, I will check the logs tomorrow when I can get access to them as > the LDAP server is not under my direct control. Anonymous binds must > be working as the ldapsearch command I mentioned above worked without > a bind DN. > > - Thanks! > > On Apr 10, 12:42 am, Aaron <busuk...@gmail.com> wrote: > > > It might well be a problem with your ldap server. > > Things to do on the ldap server > > check ldap server logs. > > Can you turn up logging levels on the ldap server. You want to be > > checking for a successful connection. The actual query being made and > > the result returned. > > Do your acls allow anonymous binds? > > > Hope this helps. > > > Aaron > > > On 10 Apr, 06:24, Luke Kanies <l...@madstop.com> wrote: > > > > On Apr 10, 2008, at 12:15 AM, jpru...@juniper.net wrote: > > > > > I have been running version 0.24.4 on the server, but I just > > > > downgraded to 0.24.2 a couple of hours ago hoping to get a different > > > > result. Wasn''t there a schema change in 0.24.3? I was concerned that > > > > might be a problem and hoped the move back to 0.24.2 might help. The > > > > puppetd client is 0.24.4 > > > > Then just go into indirectory/node/ldap.rb and see what you can see, I > > > guess. It''s not a lot of code; the base class is at indirectory/ > > > ldap.rb, and between the two of them you should be able to get enough > > > information. > > > > Have you verified from your ldap server logs that the right entry is > > > getting returned? > > > > -- > > > An expert is a person who has made all the mistakes that can be made > > > in a very narrow field. - Niels Bohr > > > --------------------------------------------------------------------- > > > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-11 22:18 UTC
[Puppet Users] Re: Having trouble with ldapnodes
Sorry, that last rbell-f8 was actually jpruitt-lnx. Weird pasting issue. This: info: Caching node rbell-f8.jnpr.net Was actually this: info: Caching node jpruitt-lnx.jnpr.net On Apr 11, 3:15 pm, "jpru...@juniper.net" <jeremypru...@gmail.com> wrote:> Here''s the OpenLDAP logs for the puppet attempt (which doesn''t work): > > Apr 11 14:23:30 <ldap_server_name> slapd[2765]: conn=138767 op=3 SRCH > base="ou=Hosts,dc=juniper,dc=net" scope=2 deref=0 > filter="(&(objectClass=puppetClient)(cn=jpruitt-lnx.<domain>.<tld>))" > Apr 11 14:23:32 <ldap_server_name> slapd[2765]: <> bdb_equality_candidates: (cn) index_param failed (18) > Apr 11 14:23:32 <ldap_server_name> slapd[2765]: conn=138767 op=3 > SEARCH RESULT tag=101 err=0 nentries=0 text> > And here''s the log for the ldapsearch command (which does work): > > Apr 11 14:34:07 <ldap_server_name> slapd[2765]: conn=139797 op=1 SRCH > base="ou=Hosts,dc=juniper,dc=net" scope=2 deref=0 > filter="(&(objectClass=puppetClient)(cn=jpruitt-lnx))" > Apr 11 14:34:07 <ldap_server_name> slapd[2765]: <> bdb_equality_candidates: (cn) index_param failed (18) > Apr 11 14:34:07 <ldap_server_name> slapd[2765]: conn=139797 op=1 > SEARCH RESULT tag=101 err=0 nentries=1 text> > I also notice that puppet only queries for my fqdn, and my nodes are > all defined without the domain piece. I did try adding a jpruitt- > lnx.<domain>.<tld> node but it still couldn''t find it. That did cause > the nentries to equal 1, so once I added the fqdn node OpenLDAP finds > it, but puppet still says: > > info: Caching node rbell-f8.jnpr.net > err: Could not find default node or by name with ''jpruitt- > lnx.<domain>.<tld>, jpruitt-lnx'' on node jpruitt-lnx.<domain>.<tld> > > Any ideas? > > On Apr 10, 12:48 am, "jpru...@juniper.net" <jeremypru...@gmail.com> > wrote: > > > Ya, I will check the logs tomorrow when I can get access to them as > > the LDAP server is not under my direct control. Anonymous binds must > > be working as the ldapsearch command I mentioned above worked without > > a bind DN. > > > - Thanks! > > > On Apr 10, 12:42 am, Aaron <busuk...@gmail.com> wrote: > > > > It might well be a problem with your ldap server. > > > Things to do on the ldap server > > > check ldap server logs. > > > Can you turn up logging levels on the ldap server. You want to be > > > checking for a successful connection. The actual query being made and > > > the result returned. > > > Do your acls allow anonymous binds? > > > > Hope this helps. > > > > Aaron > > > > On 10 Apr, 06:24, Luke Kanies <l...@madstop.com> wrote: > > > > > On Apr 10, 2008, at 12:15 AM, jpru...@juniper.net wrote: > > > > > > I have been running version 0.24.4 on the server, but I just > > > > > downgraded to 0.24.2 a couple of hours ago hoping to get a different > > > > > result. Wasn''t there a schema change in 0.24.3? I was concerned that > > > > > might be a problem and hoped the move back to 0.24.2 might help. The > > > > > puppetd client is 0.24.4 > > > > > Then just go into indirectory/node/ldap.rb and see what you can see, I > > > > guess. It''s not a lot of code; the base class is at indirectory/ > > > > ldap.rb, and between the two of them you should be able to get enough > > > > information. > > > > > Have you verified from your ldap server logs that the right entry is > > > > getting returned? > > > > > -- > > > > An expert is a person who has made all the mistakes that can be made > > > > in a very narrow field. - Niels Bohr > > > > --------------------------------------------------------------------- > > > > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 11, 2008, at 5:15 PM, jpruitt@juniper.net wrote:> I also notice that puppet only queries for my fqdn, and my nodes are > all defined without the domain piece. I did try adding a jpruitt- > lnx.<domain>.<tld> node but it still couldn''t find it. That did cause > the nentries to equal 1, so once I added the fqdn node OpenLDAP finds > it, but puppet still says:It should search through both the fqdn and the normal name. I''m pretty stumped; maybe ask other who are using it, or try some printf-style debuggin. -- I cannot and will not cut my conscience to fit this year''s fashions. -- Lillian Hellman --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-12 04:50 UTC
[Puppet Users] Re: Having trouble with ldapnodes
I have been playing with printf debugging and it looks like the ldap module definitely receives the object, but somewhere between there and the parser/compiler.rb things go wrong. A couple of questions: What is an ast node? Can you help me better understand this chunk of code (which contains the error message I''m receiving): # If ast nodes are enabled, then see if we can find and evaluate one. def evaluate_ast_node return unless ast_nodes? # Now see if we can find the node. astnode = nil @node.names.each do |name| break if astnode = @parser.nodes[name.to_s.downcase] end unless (astnode ||= @parser.nodes["default"]) raise Puppet::ParseError, "Could not find default node or by name with ''%s''" % node.names.join(", ") end # Create a resource to model this node, and then add it to the list # of resources. resource = astnode.evaluate(topscope) resource.evaluate # Now set the node scope appropriately, so that :topscope can # behave differently. @node_scope = class_scope(astnode) end It seems to be somewhere between indirector/node/ldap.rb and parser/ compiler.rb - Thanks again! On Apr 11, 5:56 pm, Luke Kanies <l...@madstop.com> wrote:> On Apr 11, 2008, at 5:15 PM, jpru...@juniper.net wrote: > > > I also notice that puppet only queries for my fqdn, and my nodes are > > all defined without the domain piece. I did try adding a jpruitt- > > lnx.<domain>.<tld> node but it still couldn''t find it. That did cause > > the nentries to equal 1, so once I added the fqdn node OpenLDAP finds > > it, but puppet still says: > > It should search through both the fqdn and the normal name. > > I''m pretty stumped; maybe ask other who are using it, or try some > printf-style debuggin. > > -- > I cannot and will not cut my conscience to fit this year''s fashions. > -- Lillian Hellman > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
jpruitt@juniper.net
2008-Apr-12 05:16 UTC
[Puppet Users] Re: Having trouble with ldapnodes
OK, I think I may have figured it out. While I commented out my "include nodes" line at the top of my site.pp file, I didn''t realize I had a leftover node entry hiding at the bottom. As soon as I removed the node all was well. I need to verify this on my production instance, but if it works I''ll double-check the wiki and update it if this isn''t mentioned. Thanks to everyone for their help with this! Jeremy Pruitt On Apr 11, 9:50 pm, "jpru...@juniper.net" <jeremypru...@gmail.com> wrote:> I have been playing with printf debugging and it looks like the ldap > module definitely receives the object, but somewhere between there and > the parser/compiler.rb things go wrong. A couple of questions: > > What is an ast node? > > Can you help me better understand this chunk of code (which contains > the error message I''m receiving): > > # If ast nodes are enabled, then see if we can find and evaluate one. > def evaluate_ast_node > return unless ast_nodes? > > # Now see if we can find the node. > astnode = nil > @node.names.each do |name| > break if astnode = @parser.nodes[name.to_s.downcase] > end > > unless (astnode ||= @parser.nodes["default"]) > raise Puppet::ParseError, "Could not find default node or > by name with ''%s''" % node.names.join(", ") > end > > # Create a resource to model this node, and then add it to the > list > # of resources. > resource = astnode.evaluate(topscope) > > resource.evaluate > > # Now set the node scope appropriately, so that :topscope can > # behave differently. > @node_scope = class_scope(astnode) > end > > It seems to be somewhere between indirector/node/ldap.rb and parser/ > compiler.rb > > - Thanks again! > > On Apr 11, 5:56 pm, Luke Kanies <l...@madstop.com> wrote: > > > On Apr 11, 2008, at 5:15 PM, jpru...@juniper.net wrote: > > > > I also notice that puppet only queries for my fqdn, and my nodes are > > > all defined without the domain piece. I did try adding a jpruitt- > > > lnx.<domain>.<tld> node but it still couldn''t find it. That did cause > > > the nentries to equal 1, so once I added the fqdn node OpenLDAP finds > > > it, but puppet still says: > > > It should search through both the fqdn and the normal name. > > > I''m pretty stumped; maybe ask other who are using it, or try some > > printf-style debuggin. > > > -- > > I cannot and will not cut my conscience to fit this year''s fashions. > > -- Lillian Hellman > > --------------------------------------------------------------------- > > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---