Puppet users - Apr 2009 - Using LDAP to determine package distribution

I am wanting to use LDAP classes to determine what software packages
to install on various Mac. I have the puppet schema installed and have
populated a few puppetclass variables.

What I am looking for is some guidance on what the init.pp file would
look like basically ''CASE'' on various puppetclass variables.

Basically, all my computers are in
OU=computers,cn=blah,dc=blah,dc=blah.

When ''puppetd'' is run on the client, how does the puppetmaster
server
know what to lookup in LDAP?

I am sorry if this is all somewhat elementary, I am somewhat new to
LDAP as well as puppet.

Thanks

-kurt
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 2009-Apr-2, at 2:56 PM, engle wrote:
> What I am looking for is some guidance on what the init.pp file would
> look like basically ''CASE'' on various puppetclass
variables.
The case shouldn''t be needed. If you have entries in LDAP with  
attributes such as

     objectClass: puppetClient
     puppetClass: webserver

and you have this somewhere in your manifests

     class webserver {
         # stuff
     }

then the "stuff" will get applied to the node that matches that LDAP  
entry.
> Basically, all my computers are in
> OU=computers,cn=blah,dc=blah,dc=blah.
>
> When ''puppetd'' is run on the client, how does the
puppetmaster server
> know what to lookup in LDAP?
Assuming you''ve added something like this to your puppet.conf

     node_terminus = ldap
     ldapserver = ldap.blah.blah
     ldapbase = ou=computers,cn=blah,dc=blah,dc=blah

then the puppetmaster will search there for  
"(&(objectClass=puppetClient)(cn=fully.qualified.domain.name))".
If it
doesn''t find anything using the FQDN, it will search using  
"cn=hostname" and if that fails, "cn=default".
> I am sorry if this is all somewhat elementary, I am somewhat new to
> LDAP as well as puppet.
It took a fair bit of trial and error for me to understand, but it was  
worth it (and the documentation for using LDAP has improved quite a  
bit recently).

-- 
Rob McBroom
<http://www.skurfer.com/>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Making headway, but my debug output is telling me that the ''LDAP
Search failed''. I am assuming that this is due to the way that I am
telling my puppetmaster to look at the LDAP directory.

I have the following in my puppet.conf file on my puppetmaster server:
[puppetmasterd]
        reports = rrdgraph,store,log
        autosign = true
        node_terminus = ldap
        ldapserver = server.domain.edu
        ldapbase = ou=computers,cn=server,dc=domain,dc=edu
        ldapuser= uid=diradmin,cn=users,dc=server,dc=domain,dc=edu
        ldappassword=password

Do I need to specify anything on the puppet client machine? The fqdn
of the client matches the cn entry in my LDAP database.

Thanks,

-kurt

On Apr 2, 1:39 pm, Rob McBroom <pup...@skurfer.com>
wrote:
> On 2009-Apr-2, at 2:56 PM, engle wrote:
>
> > What I am looking for is some guidance on what the init.pp file would
> > look like basically ''CASE'' on various puppetclass
variables.
>
> The case shouldn''t be needed. If you have entries in LDAP with  
> attributes such as
>
>      objectClass: puppetClient
>      puppetClass: webserver
>
> and you have this somewhere in your manifests
>
>      class webserver {
>          # stuff
>      }
>
> then the "stuff" will get applied to the node that matches that
LDAP  
> entry.
>
> > Basically, all my computers are in
> > OU=computers,cn=blah,dc=blah,dc=blah.
>
> > When ''puppetd'' is run on the client, how does the
puppetmaster server
> > know what to lookup in LDAP?
>
> Assuming you''ve added something like this to your puppet.conf
>
>      node_terminus = ldap
>      ldapserver = ldap.blah.blah
>      ldapbase = ou=computers,cn=blah,dc=blah,dc=blah
>
> then the puppetmaster will search there for  
>
"(&(objectClass=puppetClient)(cn=fully.qualified.domain.name))".
If it  
> doesn''t find anything using the FQDN, it will search using  
> "cn=hostname" and if that fails, "cn=default".
>
> > I am sorry if this is all somewhat elementary, I am somewhat new to
> > LDAP as well as puppet.
>
> It took a fair bit of trial and error for me to understand, but it was  
> worth it (and the documentation for using LDAP has improved quite a  
> bit recently).
>
> --
> Rob McBroom
> <http://www.skurfer.com/>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 2009-Apr-2, at 5:30 PM, engle wrote:
> Making headway, but my debug output is telling me that the ''LDAP
> Search failed''. I am assuming that this is due to the way that I
am
> telling my puppetmaster to look at the LDAP directory.
Since you''re using authentication, that could complicate things. Does  
your LDAP server require TLS or SSL for authentication? If so, is all  
that working correctly? You might make sure ruby-ldap supports SSL on  
your puppetmaster.
> Do I need to specify anything on the puppet client machine?
No.
> The fqdn of the client matches the cn entry in my LDAP database.

I would look at the logs on the LDAP server. There might not be any  
logs by default. The Red Hat and Debian openssl packages both use  
local4 for logging, so I had to add something like this to /etc/ 
syslog.conf:

     # OpenLDAP
     local4.*		/var/log/ldap.log

You''ll want to see lines containing "SRCH" along with the
details of
the search (filter, base, etc) followed by lines containing "SEARCH  
RESULT" and "nentries=1". If you see 0, the search
didn''t find
anything. If you see more than 1, you''ve got a duplicate entry that  
needs to be eliminated.

-- 
Rob McBroom
<http://www.skurfer.com/>





--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Thu, Apr 2, 2009 at 11:56 AM, engle <kurt.engle@gmail.com>
wrote:
>
> I am wanting to use LDAP classes to determine what software packages
> to install on various Mac. I have the puppet schema installed and have
> populated a few puppetclass variables.
>
> What I am looking for is some guidance on what the init.pp file would
> look like basically ''CASE'' on various puppetclass
variables.
>
> Basically, all my computers are in
> OU=computers,cn=blah,dc=blah,dc=blah.
>
> When ''puppetd'' is run on the client, how does the
puppetmaster server
> know what to lookup in LDAP?
>
> I am sorry if this is all somewhat elementary, I am somewhat new to
> LDAP as well as puppet.

Is your LDAP server an OS X Server Open Directory Server?


-- 
Nigel Kersten
nigelk@google.com
System Administrator
Google, Inc.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I got puppet working with the LDAP search. It had to do with
authentication to my LDAP server.

Thanks for your help.

NOW, I have a bigger question for the Puppet Community. Here is a
small explanation as to what I am trying to accomplish with puppet and
package distribution:

We are a K-12 school district with with multiple schools and multiple
configurations of Macs within those schools. We would like to store
package information in our LDAP directory and pass those variables to
puppet to load them onto client computers out in the schools. At any
given school, we will have a base image that the computers will be
loaded with with respect to their OS version and architecture. Then,
depending on the functionality of the computer, we will load other
packages on the various devices.

We would like to define groups that represent the packages that would
be installed on a given computer. Then we would define the computers
in LDAP and assign them to the appropriate group(s).

I have been able to define a device in LDAP, create a class based on
the ''puppetclass'' in LDAP and install a package on the device.
So, I
am about 1/4 of the way there. Now what I would like to do is to have
puppet follow a trail from the device itself to the device''s group and
do the same thing, but have the puppetclass of the group return the
name of a package to puppet to install. Make Sense???

As a side but related question; what is the significance of the
''parentnode'' to puppet?

Thanks,

-kurt

On Apr 3, 6:53 am, Nigel Kersten <nig...@google.com>
wrote:
> On Thu, Apr 2, 2009 at 11:56 AM, engle <kurt.en...@gmail.com> wrote:
>
> > I am wanting to useLDAPclasses to determine what software packages
> > to install on various Mac. I have the puppet schema installed and have
> > populated a few puppetclass variables.
>
> > What I am looking for is some guidance on what the init.pp file would
> > look like basically ''CASE'' on various puppetclass
variables.
>
> > Basically, all my computers are in
> > OU=computers,cn=blah,dc=blah,dc=blah.
>
> > When ''puppetd'' is run on the client, how does the
puppetmaster server
> > know what to lookup inLDAP?
>
> > I am sorry if this is all somewhat elementary, I am somewhat new to
> >LDAPas well as puppet.
>
> Is yourLDAPserver an OS X Server Open Directory Server?
>
> --
> Nigel Kersten
> nig...@google.com
> System Administrator
> Google, Inc.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 2009-Apr-7, at 5:32 PM, engle wrote:
> I got puppet working with the LDAP search. It had to do with
> authentication to my LDAP server.
Glad to hear it.
> We would like to define groups that represent the packages that would
> be installed on a given computer. Then we would define the computers
> in LDAP and assign them to the appropriate group(s).
Do you mean a groupOfNames in LDAP or something similar? You could  
certainly do this, but I don''t know if there''s an easy way to
teach
Puppet about these groups. I think you''d need to write your own code  
to get the node info out of LDAP.
> I have been able to define a device in LDAP, create a class based on
> the ''puppetclass'' in LDAP and install a package on the
device. So, I
> am about 1/4 of the way there. Now what I would like to do is to have
> puppet follow a trail from the device itself to the device''s group
and
> do the same thing, but have the puppetclass of the group return the
> name of a package to puppet to install. Make Sense???
You can have multiple puppetClass attributes for each machine, if that  
helps you any. Although, my approach would probably be to define the  
class(es) in LDAP, then use the class to build a list of packages. But  
maybe it would be nice for others in your organization to see all the  
packages in LDAP and not have to know about Puppet. I''m sure you have  
your reasons. Anyway, instead of groups, you might be able to  
accomplish this using parentnode.
> As a side but related question; what is the significance of the
> ''parentnode'' to puppet?

I haven''t used it myself, but I believe you can have a parent node  
that defines its own puppetClass attributes, etc. Then you can have a  
"group" of machines with the same parent node and they would all  
inherit the classes (and maybe some other stuff) from that node. It''s  
like saying "this machine belongs to X group" for each machine, rather
than having a group that says "my members are A, B, C". So you  
wouldn''t literally be creating groups in LDAP, but it might accomplish
what you want. I''m not sure if you can assign multiple parent nodes.

-- 
Rob McBroom
<http://www.skurfer.com/>

The magnitude of a problem does not affect its ownership.






--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Rob, thanks again for your response.

You are basically correct in understanding what we are trying to accomplish.
We have a number of different configurations for devices out there on our
network...too many. We are trying to get out of the business of determining
what needs to be installed on a defined group of machines. We want the local
techs to decide that and enter that information in LDAP for a given group of
computers. Puppet would just look up the package information which would be
returned as a variable to the manifest and push out the appropriate package.
Simple (conceptually) right? But, it does require some Ruby code that I have
yet to attempt to implement.

I have done some experimentation with ''parentnode'' it does
function as you
mention. I was able to make a parentnode with puppetclasses defined. I took
my host and assigned it a parentnode as well as some puppetclasses. All the
packages related to both the parentnode and the device puppetclasses were
installed. However, the parentnode and the device had to be in the same
branch of the LDAP tree. I tried specifying a static LDAP path in the
parentnode value, but that did not work.  As for multiple parentnodes... I
will give that a go as well.

Thanks for all your help,

-kurt



On Wed, Apr 8, 2009 at 9:25 AM, Rob McBroom <puppet@skurfer.com> wrote:
>
> On 2009-Apr-7, at 5:32 PM, engle wrote:
>
> > I got puppet working with the LDAP search. It had to do with
> > authentication to my LDAP server.
>
> Glad to hear it.
>
> > We would like to define groups that represent the packages that would
> > be installed on a given computer. Then we would define the computers
> > in LDAP and assign them to the appropriate group(s).
>
> Do you mean a groupOfNames in LDAP or something similar? You could
> certainly do this, but I don''t know if there''s an easy
way to teach
> Puppet about these groups. I think you''d need to write your own
code
> to get the node info out of LDAP.
>
> > I have been able to define a device in LDAP, create a class based on
> > the ''puppetclass'' in LDAP and install a package on
the device. So, I
> > am about 1/4 of the way there. Now what I would like to do is to have
> > puppet follow a trail from the device itself to the device''s
group and
> > do the same thing, but have the puppetclass of the group return the
> > name of a package to puppet to install. Make Sense???
>
> You can have multiple puppetClass attributes for each machine, if that
> helps you any. Although, my approach would probably be to define the
> class(es) in LDAP, then use the class to build a list of packages. But
> maybe it would be nice for others in your organization to see all the
> packages in LDAP and not have to know about Puppet. I''m sure you
have
> your reasons. Anyway, instead of groups, you might be able to
> accomplish this using parentnode.
>
> > As a side but related question; what is the significance of the
> > ''parentnode'' to puppet?
>
>
> I haven''t used it myself, but I believe you can have a parent node
> that defines its own puppetClass attributes, etc. Then you can have a
> "group" of machines with the same parent node and they would all
> inherit the classes (and maybe some other stuff) from that node.
It''s
> like saying "this machine belongs to X group" for each machine,
rather
> than having a group that says "my members are A, B, C". So you
> wouldn''t literally be creating groups in LDAP, but it might
accomplish
> what you want. I''m not sure if you can assign multiple parent
nodes.
>
> --
> Rob McBroom
> <http://www.skurfer.com/>
>
> The magnitude of a problem does not affect its ownership.
>
>
>
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I just wanted to follow up on this thread and let you know that I
have pretty much got Puppet and LDAP doing what I want it to do.

Basically, if a node boots up and runs ''puppetd'' it will check
in with
LDAP to see if the node is entered in the LDAP directory. If not, it
will use a ''default'' object in the LDAP directory that tells
puppet to
use some ''facter'' information and enter the node in LDAP and
define a
few puppetclasses for the node.

The puppetclasses defined tells what packages need to be installed on
the specific node. Pretty slick....

As I mentioned, we are a school district with multiple architectures
and multiple functions for our macs in all the schools. Each school
has a different set of packages that need to be installed on specific
machines. We have defined ''computer_groups'' that represent all
the
different functionalities. The school technicians can manage what
packages are installed and what computers need to be included in the
''computer_groups'' for the computer''s function.

Puppet uses the computer''s serial number as its host name and then
searches all the ''computer_groups'' in the LDAP directory for
the
''memberUid=<sn>'' and picks out the
''puppetvar'' attribute which is a
package that needs to be installed. There is a ruby routine that
performs this function.

In addition, there are packages that are architecture based so the
LDAP directory is searched using the $sp-machine_model variable passed
from facter.

And another thing, we have some of our schools that are connected via
T1 and we don''t think that we can load packages onto about 40+
computers efficiently over the link, so we will be putting ''package
servers'' local to those sites. So we have a ruby routine that will
look at the nodes domain name and determine where the node''s package
source will be.

We are still in the testing phase of the project and I am sure that
there will be changes, but using LDAP to determine package
installation will be a HUGE time and money saver for us.

Kurt Engle
Network Engineer
Eugene 4J Schools
Eugene, Or.

On Apr 8, 10:57 am, Kurt Engle <kurt.en...@gmail.com>
wrote:
> Rob, thanks again for your response.
>
> You are basically correct in understanding what we are trying to
accomplish.
> We have a number of different configurations for devices out there on our
> network...too many. We are trying to get out of the business of determining
> what needs to be installed on a defined group of machines. We want the
local
> techs to decide that and enter that information in LDAP for a given group
of
> computers. Puppet would just look up the package information which would be
> returned as a variable to the manifest and push out the appropriate
package.
> Simple (conceptually) right? But, it does require some Ruby code that I
have
> yet to attempt to implement.
>
> I have done some experimentation with ''parentnode'' it
does function as you
> mention. I was able to make a parentnode with puppetclasses defined. I took
> my host and assigned it a parentnode as well as some puppetclasses. All the
> packages related to both the parentnode and the device puppetclasses were
> installed. However, the parentnode and the device had to be in the same
> branch of the LDAP tree. I tried specifying a static LDAP path in the
> parentnode value, but that did not work.  As for multiple parentnodes... I
> will give that a go as well.
>
> Thanks for all your help,
>
> -kurt
>
> On Wed, Apr 8, 2009 at 9:25 AM, Rob McBroom <pup...@skurfer.com>
wrote:
>
> > On 2009-Apr-7, at 5:32 PM, engle wrote:
>
> > > I got puppet working with the LDAP search. It had to do with
> > > authentication to my LDAP server.
>
> > Glad to hear it.
>
> > > We would like to define groups that represent the packages that
would
> > > be installed on a given computer. Then we would define the
computers
> > > in LDAP and assign them to the appropriate group(s).
>
> > Do you mean a groupOfNames in LDAP or something similar? You could
> > certainly do this, but I don''t know if there''s an
easy way to teach
> > Puppet about these groups. I think you''d need to write your
own code
> > to get the node info out of LDAP.
>
> > > I have been able to define a device in LDAP, create a class based
on
> > > the ''puppetclass'' in LDAP and install a package
on the device. So, I
> > > am about 1/4 of the way there. Now what I would like to do is to
have
> > > puppet follow a trail from the device itself to the
device''s group and
> > > do the same thing, but have the puppetclass of the group return
the
> > > name of a package to puppet to install. Make Sense???
>
> > You can have multiple puppetClass attributes for each machine, if that
> > helps you any. Although, my approach would probably be to define the
> > class(es) in LDAP, then use the class to build a list of packages. But
> > maybe it would be nice for others in your organization to see all the
> > packages in LDAP and not have to know about Puppet. I''m sure
you have
> > your reasons. Anyway, instead of groups, you might be able to
> > accomplish this using parentnode.
>
> > > As a side but related question; what is the significance of the
> > > ''parentnode'' to puppet?
>
> > I haven''t used it myself, but I believe you can have a parent
node
> > that defines its own puppetClass attributes, etc. Then you can have a
> > "group" of machines with the same parent node and they would
all
> > inherit the classes (and maybe some other stuff) from that node.
It''s
> > like saying "this machine belongs to X group" for each
machine, rather
> > than having a group that says "my members are A, B, C". So
you
> > wouldn''t literally be creating groups in LDAP, but it might
accomplish
> > what you want. I''m not sure if you can assign multiple parent
nodes.
>
> > --
> > Rob McBroom
> > <http://www.skurfer.com/>
>
> > The magnitude of a problem does not affect its ownership.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Apr 24, 2009 at 11:02 AM, engle <kurt.engle@gmail.com> wrote:
> And another thing, we have some of our schools that are connected via
> T1 and we don''t think that we can load packages onto about 40+
> computers efficiently over the link, so we will be putting
''package
> servers'' local to those sites. So we have a ruby routine that will
> look at the nodes domain name and determine where the node''s
package
> source will be.
Kurt, what we do is have a ''pkgbase'' fact, and all our
packages are
specified as:

source => "$pkgpase/foo/bar.pkg",

We found this logic was easier to do client side than server side.

-- 
Nigel Kersten
nigelk@google.com
System Administrator
Google, Inc.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

________________________________
From: Nigel Kersten <nigelk@google.com>
To: puppet-users@googlegroups.com
Sent: Friday, April 24, 2009 2:41:30 PM
Subject: [Puppet Users] Re: Using LDAP to determine package distribution


On Fri, Apr 24, 2009 at 11:02 AM, engle <kurt.engle@gmail.com> wrote:
> And another thing, we have some of our schools that are connected via
> T1 and we don''t think that we can load packages onto about 40+
> computers efficiently over the link, so we will be putting
''package
> servers'' local to those sites. So we have a ruby routine that will
> look at the nodes domain name and determine where the node''s
package
> source will be.
Kurt, what we do is have a ''pkgbase'' fact, and all our
packages are
specified as:

source => "$pkgpase/foo/bar.pkg",

We found this logic was easier to do client side than server side.

-- 
Nigel Kersten
nigelk@google.com
System Administrator
Google, Inc.



      
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---