What are people doing when they have all their users in a centralized LDAP directory but need to manage local groups. Is there some way to have a User resource manage the group membership but not actually create the user locally? -- Russell A. Jackson <raj@csub.edu> Network Analyst California State University, Bakersfield To err is human, to forgive, beyond the scope of the Operating System.
On Fri, May 30, 2008 at 12:28 PM, Russell Jackson <raj@csub.edu> wrote:> What are people doing when they have all their users in a centralized LDAP directory but > need to manage local groups. Is there some way to have a User resource manage the group > membership but not actually create the user locally?Why not put your groups in LDAP? It does seem odd that you can''t specify who the members of a group should be in the group type, though. Adam -- HJK Solutions - We Launch Startups - http://www.hjksolutions.com Adam Jacob, Senior Partner T: (206) 508-4759 E: adam@hjksolutions.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On May 30, 1:17 pm, "Adam Jacob" <a...@hjksolutions.com> wrote:> On Fri, May 30, 2008 at 12:28 PM, Russell Jackson <r...@csub.edu> wrote: > > What are people doing when they have all their users in a centralized LDAP directory but > > need to manage local groups. Is there some way to have a User resource manage the group > > membership but not actually create the user locally? > > Why not put your groups in LDAP? > > It does seem odd that you can''t specify who the members of a group > should be in the group type, though. >1. LDAP group look-ups against a large directory are slow as hell on FreeBSD due to an NSS API problem. 2. I don''t necessarily want the same membership for a particular group on all hosts (e.g. wheel or root). 3. Some groups I want to manage are only relevant to a single host. Why clutter the LDAP name-space with a bunch of one off groups? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Adam Jacob wrote:> On Fri, May 30, 2008 at 12:28 PM, Russell Jackson <raj@csub.edu> wrote: >> What are people doing when they have all their users in a centralized LDAP directory but >> need to manage local groups. Is there some way to have a User resource manage the group >> membership but not actually create the user locally? > > Why not put your groups in LDAP?In general, it is recommended not to put system users and system groups on LDAP, as: * they may be required at boot before the connection to the LDAP server can be created. * they are dependant on the distributions being used, it makes no sense to distribute this. * distributions I am familiar with will use local files by default when installing/removing packages even when LDAP is configured. * there usually is no reason to share this information or even try to make it consistent between hosts. At the present time, there are a number of local groups on, say Ubuntu Hardy, that desktop users need to be added to to get full features of the desktop. e.g. audio, cdrom, video, plugdev, etc. It would be good if Puppet could manage this automatically. For the long term, there might be other solutions that don''t involve puppet. I will believe it when I see it ;-). Brian May --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---