Ben Lavender
2009-Aug-05 10:43 UTC
[Puppet Users] Purging non-LDAP users, but ignore the LDAP users?
I''m trying to manage my userbase in puppet and having some trouble.
My setup: users exist in LDAP. Public keys exist in LDAP (I really
recommend this patch, see http://code.google.com/p/openssh-lpk/wiki/Main).
Some machines use NFS to mount an exported set of home directories;
others do not.
This means that very few user resources actually exist on most
servers, but PAM will still return a list of users from LDAP. So I
would like to make sure that if you are logging in, you are actually
logging in with LDAP--basically, I want to get rid of anything in /etc/
passwd. I add a resources clause to purge non-LDAP users:
resources { user:
purge => true,
unless_system_user => true,
}
Disaster, along with what appears to be a bug reporting a user found
''in both useradd and useradd'' for each user that existed both
on the
system and in LDAP:
Aug 5 06:22:11 nagios1 puppetd[32643]: Starting catalog run
Aug 5 06:22:11 nagios1 puppetd[32643]: User ben found in both useradd
and useradd; skipping the useradd version
Aug 5 06:22:11 nagios1 puppetd[32643]: User xyz found in both useradd
and useradd; skipping the useradd version
Aug 5 06:22:11 nagios1 puppetd[32643]: User nagios found in both
useradd and useradd; skipping the useradd version
Aug 5 06:22:16 nagios1 puppetd[32643]: (/User[xyz]/ensure) removed
... snip a bunch of LDAP users getting removed ...
Aug 5 06:22:20 nagios1 puppetd[32643]: (/User[ben]/ensure) change
from present to absent failed: Could not delete user ben: Execution of
''/usr/sbin/userdel ben'' returned 8: userdel: user ben is
currently
logged in
Aug 5 06:22:20 nagios1 puppetd[32643]: Finished catalog run in 8.82
seconds
Fortunately, my systems do not have write access to LDAP. Based on
this line in the type reference for resources, "Any metaparams
specified here will be passed on to any generated resources, " I tried
adding a ''provider'' clause to the user resources but no dice.
I''m not
sure manually setting it to useradd will actually do what I want
anyway.
I''m guessing puppet simply doesn''t support what I''m
looking for right
now, since LDAP users appear normally in most of the POSIX libraries.
Is that assumption correct?
If so, does anyone have any suggestions for how to manage this? I am
thinking I can make LDAP users be 200-300 or so and then the purge
will consider them system accounts and still purge anything over 500
created with useradd. I hate awkward solutions, though, and was
wondering if someone else has come across this before.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
David Schmitt
2009-Aug-05 10:53 UTC
[Puppet Users] Re: Purging non-LDAP users, but ignore the LDAP users?
Ben Lavender wrote:> I''m trying to manage my userbase in puppet and having some trouble.> This means that very few user resources actually exist on most > servers, but PAM will still return a list of users from LDAP. So I > would like to make sure that if you are logging in, you are actually > logging in with LDAP--basically, I want to get rid of anything in /etc/ > passwd. I add a resources clause to purge non-LDAP users:If that''s really what you want -- purging /etc/passwd -- using a File would be much easier and directly capture your intent: file { "/etc/passwd": ensure => absent; } I''d recommend to provide at least a few system users in the default template instead of deleting the file altogether. E.g. some packages create users for their files. Regards, DavidS --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Ben Lavender
2009-Aug-05 11:01 UTC
[Puppet Users] Re: Purging non-LDAP users, but ignore the LDAP users?
> If that''s really what you want -- purging /etc/passwd -- using a File > would be much easier and directly capture your intent: > > file { > "/etc/passwd": > ensure => absent; > } > > I''d recommend to provide at least a few system users in the default > template instead of deleting the file altogether. E.g. some packages > create users for their files.For the reasons you just explained, this won''t do. Users like daemon, cron, and various system accounts are all still around and need to be. I''m also not sure what pam would do with itself without passwd, to be honest, and would hate to find out! :) Thank you though, Ben> Regards, DavidS--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Nicolas Szalay
2009-Aug-05 11:34 UTC
[Puppet Users] Re: Purging non-LDAP users, but ignore the LDAP users?
Le mercredi 05 août 2009 à 04:01 -0700, Ben Lavender a écrit :> For the reasons you just explained, this won''t do. Users like daemon, > cron, and various system accounts are all still around and need to > be. I''m also not sure what pam would do with itself without passwd, > to be honest, and would hate to find out! :)non system users are often given an UID >= 1000, write a script to find these, delete them and use Exec to run it. Beware of "nobody" that is often given the highest UID (65534 here) Regards, Nico.
Ben Lavender
2009-Aug-05 16:52 UTC
[Puppet Users] Re: Purging non-LDAP users, but ignore the LDAP users?
Thanks. This is a good idea to try and fix this. On Aug 5, 8:34 pm, Nicolas Szalay <nsza...@qualigaz.com> wrote:> Le mercredi 05 août 2009 à 04:01 -0700, Ben Lavender a écrit : > > > For the reasons you just explained, this won''t do. Users like daemon, > > cron, and various system accounts are all still around and need to > > be. I''m also not sure what pam would do with itself without passwd, > > to be honest, and would hate to find out! :) > > non system users are often given an UID >= 1000, write a script to find > these, delete them and use Exec to run it. > > Beware of "nobody" that is often given the highest UID (65534 here) > > Regards, > > Nico. > > signature.asc > < 1KViewDownload--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---