Puppet users - Mar 2009 - puppet and LDAP users

I am trying to get puppet to manage my LDAP users but I don''t appear
to be having much success. What I have in puppet.conf is this

[puppetmasterd]
        ldapserver=ldap.myorg.company.com
        ldapbase=dc=myorg,dc=org
        ldapuser=cn=admin,dc=myorg,dc=org
        ldappassword=mysecret
        ldapparentattr=dc=myorg,dc=org

I added the ldapparentattr in desperation and doubt if it''s actually
required. Now I have a class which says

        user { "myuser":
                uid => 500,
                groups => myuser,
                gid => 500,
                ensure => present,
                comment => "some info",
                managehome => ''true'',
                home => "/home/myuser",
                shell => "/bin/bash",
                require => [ Group["myuser"] ]
                }

and the message I get is this

[root@here]# puppetd --test --noop --tags users
info: Loading fact drbd
info: Retrieving facts
info: Loading fact drbd
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
err: Got an uncaught exception of type LDAP::ResultError: Invalid DN
syntax
notice: Finished catalog run in 4.01 seconds

I have tcpdump on port 389 running in another window and what I see is
that puppet seems to be trying to send commands to the LDAP server but
is missing the ldapbase info from everything - so it''s sending things
like

uid=myuser,ou=People,

and missing dc=myorg,dc=org from it.

Does this look like I am missing anything critical or has anyone done
this before? I don''t want to put my puppet nodes into LDAP but I do
have my linux authentication already running out of LDAP and ideally
am trying to get puppet to manage them for me.

Incidentally, in /usr/lib/ruby/site_ruby/1.8/puppet/provider/group/
ldap.rb ou=Groups appears to be hard coded but this is not where my
groups are defined in LDAP and the only way I could see to fix this
was to edit the file and hack it that way.

Running on Centos 5.2 with puppet-0.24.7-4.el5

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi two suggestions:

1. make sure ruby-ldap gem is installed
2. test via ldapsearch where puppetmasterd is installed

Also reviewing the wiki will also help:

http://www.reductivelabs.com/trac/puppet/wiki/LDAPNodes

-L

--
Larry Ludwig



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Larry Ludwig wrote:
> Hi two suggestions:
>
> 1. make sure ruby-ldap gem is installed
>   
It is. On a different system without ruby-ldap installed I get

err: Could not prefetch user provider ''ldap'': Could not set up
LDAP
Connection: Missing ruby/ldap libraries
> 2. test via ldapsearch where puppetmasterd is installed
>   
This works since I am using LDAP via pam to allow access to the systems.
But ldapsearch also works.
> Also reviewing the wiki will also help:
>
> http://www.reductivelabs.com/trac/puppet/wiki/LDAPNodes
>   
The symptoms that I see are that puppet is not requesting a full DN
though. It''s ''forgetting'' to append ldapbase to the
end of the query so
it''s unsurprising that it is not working.

-- 

Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* 4th Floor, Tower Point,
44 North Road,
Brighton, BN1 1YR, UK   

OFFICE 	+44 (0) 1273 666 350
FAX 	+44 (0) 1273 666 351

.................................................
www.calypso.com

This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.

* P * /*/ Please consider the environment before printing this e-mail /*/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mar 1, 2009, at 4:09 PM, Trevor Hemsley wrote:
>
> Larry Ludwig wrote:
>> Hi two suggestions:
>>
>> 1. make sure ruby-ldap gem is installed
>>
> It is. On a different system without ruby-ldap installed I get
>
> err: Could not prefetch user provider ''ldap'': Could not
set up LDAP
> Connection: Missing ruby/ldap libraries
>
>>
> The symptoms that I see are that puppet is not requesting a full DN
> though. It''s ''forgetting'' to append ldapbase to
the end of the query
> so
> it''s unsurprising that it is not working.
>
Hmm in my openldap ldap.conf file I defined the base dn, I don''t  
remember if that was done for any specific reason.

I would check the source code to see if it helps you determine what  
the error may be.

What version of Puppetmaster are you using on what platform, with what  
LDAP?

At the moment I''m not sure what is the root cause of your error.
>
-L

--
Larry Ludwig


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Larry Ludwig wrote:
> Hmm in my openldap ldap.conf file I defined the base dn, I don''t  
> remember if that was done for any specific reason.
>   
I have the base dn defined in both ldap.conf files (/etc/ldap.conf and
/etc/openldap/ldap.conf are listed below). ldapsearch -x works from the
command line on this system. One oddity about that is that ldapsearch -x
uses ldaps:// so talks encrypted on port 636 not plain text on port 389
- this is correct as far as I am concerned, I don''t want plain text
communication. Puppet talks plain text on port 389
though.
> What version of Puppetmaster are you using on what platform, with what  
> LDAP?
>   
[root@myhost]# rpm -q puppet-server
puppet-server-0.24.7-4.el5

[root@myhost]# cat /etc/redhat-release
CentOS release 5.2 (Final)

[root@myhost]# rpm -q openldap-servers
openldap-servers-2.3.27-8.el5_2.4

[root@myhost]# grep -v "^#" /etc/ldap.conf | grep -v "^$"
base dc=myorg,dc=org
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldaps://ldap.myorg.company.com/
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password crypt

[root@myhost]# cat /etc/openldap/ldap.conf
URI ldaps://ldap.myorg.company.com/
BASE dc=myorg,dc=org
TLS_CACERTDIR /etc/openldap/cacerts

[root@myhost]# ruby -rldap -e ''puts :installed''
installed
[root@myhost]# ruby -rpuppet -e ''p Puppet.features.ldap?''
true

Much experimentation later... fixed, I had to specify the ldapxxx parameters in
the [puppetd] stanza of /etc/puppet/puppet.conf to make it
work. e.g

[puppetd]
ldapserver=ldap.myorg.company.com
ldapbase=dc=myorg,dc=org
ldapuser=cn=admin,dc=myorg,dc=org
ldappassword=mysecret

-- 

Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* 4th Floor, Tower Point,
44 North Road,
Brighton, BN1 1YR, UK   

OFFICE 	+44 (0) 1273 666 350
FAX 	+44 (0) 1273 666 351

.................................................
www.calypso.com

This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.

* P * /*/ Please consider the environment before printing this e-mail /*/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mar 1, 2009, at 9:04 PM, Trevor Hemsley wrote:
>
> [puppetd]
> ldapserver=ldap.myorg.company.com
> ldapbase=dc=myorg,dc=org
> ldapuser=cn=admin,dc=myorg,dc=org
> ldappassword=mysecret
>

In my case it''s in [puppetmasterd] but glad it works for you.

-L

--
Larry Ludwig


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mar 1, 2009, at 9:27 PM, Larry Ludwig wrote:
>
>
> On Mar 1, 2009, at 9:04 PM, Trevor Hemsley wrote:
>
>>
>> [puppetd]
>> ldapserver=ldap.myorg.company.com
>> ldapbase=dc=myorg,dc=org
>> ldapuser=cn=admin,dc=myorg,dc=org
>> ldappassword=mysecret
>>
>
>
> In my case it''s in [puppetmasterd] but glad it works for you.

Heh, both of you should probably put it in main. :)

You need to either put it in main, the section named after the  
environment, or the section named after the executable, and (here''s  
the key) you want it in the most general block possible.

If there''s no harm in putting it in main, you should *always* do so.

Otherwise, only the named executable will have access to those settings.

-- 
Morgan''s Second Law:
     To a first approximation all appointments are canceled.
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mar 3, 2009, at 12:09 PM, Luke Kanies wrote:
>
> On Mar 1, 2009, at 9:27 PM, Larry Ludwig wrote:
>
>>
>>
>> On Mar 1, 2009, at 9:04 PM, Trevor Hemsley wrote:
>>
>>>
>>> [puppetd]
>>> ldapserver=ldap.myorg.company.com
>>> ldapbase=dc=myorg,dc=org
>>> ldapuser=cn=admin,dc=myorg,dc=org
>>> ldappassword=mysecret
>>>
>>
>>
>> In my case it''s in [puppetmasterd] but glad it works for you.
>
>
> Heh, both of you should probably put it in main. :)
>
> You need to either put it in main, the section named after the
> environment, or the section named after the executable, and
(here''s
> the key) you want it in the most general block possible.
>
> If there''s no harm in putting it in main, you should *always* do
so.
>
> Otherwise, only the named executable will have access to those  
> settings.
>
What other app in puppet uses LDAP?

-L


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mar 3, 2009, at 1:42 PM, Larry Ludwig wrote:
>
>
> On Mar 3, 2009, at 12:09 PM, Luke Kanies wrote:
>
>>
>> On Mar 1, 2009, at 9:27 PM, Larry Ludwig wrote:
>>
>>>
>>>
>>> On Mar 1, 2009, at 9:04 PM, Trevor Hemsley wrote:
>>>
>>>>
>>>> [puppetd]
>>>> ldapserver=ldap.myorg.company.com
>>>> ldapbase=dc=myorg,dc=org
>>>> ldapuser=cn=admin,dc=myorg,dc=org
>>>> ldappassword=mysecret
>>>>
>>>
>>>
>>> In my case it''s in [puppetmasterd] but glad it works for
you.
>>
>>
>> Heh, both of you should probably put it in main. :)
>>
>> You need to either put it in main, the section named after the
>> environment, or the section named after the executable, and
(here''s
>> the key) you want it in the most general block possible.
>>
>> If there''s no harm in putting it in main, you should *always*
do so.
>>
>> Otherwise, only the named executable will have access to those
>> settings.
>>
>
> What other app in puppet uses LDAP?
puppetmasterd looks in ldap for node information, and puppetd can  
manage users and groups in ldap.

-- 
A lot of people mistake a short memory for a clear conscience.
     -- Doug Larson
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---