All, We use LDAP authentication against Active Directory on our Linux systems. If a user is not in AD, they don''t get into authenticated. We remove all AD authenticated user''s shadow entry to keep the shadow expirations from interfering with authentication. However, the "user" type in puppet insists that a user have a shadow entry and re-creates it on every run. This forces us to put another bit of code that removes the shadow entry that Puppet just added. This gives us the functionality that we need, but it also creates a whole bunch of notices and a flurry of unnecessary activity every time Puppet runs. Anyone have any ideas on who to create and manage users without forcing them to have a shadow entry at all? Mark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi Mark, We also use the combination of AD/LDAP + Puppet and I just checked and I don''t have any entries in shadow file for any AD users. I also checked the provider code and in fact AFAICS it first checks if any changes need to be applied (by comparing property values specified in manifest to values returned by the provider). Note that in my manifests I only have user/group resources for those coming from AD defined for dependency specification, without any attributes like UID or GID set on them. What''s your usage of them looks like? BTW I''m running 0.24.8 on CentOS-5. Michael On Friday 28 August 2009 15:29:38 Gajillion wrote:> All, > We use LDAP authentication against Active Directory on our Linux > systems. If a user is not in AD, they don''t get into authenticated. > We remove all AD authenticated user''s shadow entry to keep the shadow > expirations from interfering with authentication. However, the "user" > type in puppet insists that a user have a shadow entry and re-creates > it on every run. This forces us to put another bit of code that > removes the shadow entry that Puppet just added. > > This gives us the functionality that we need, but it also creates a > whole bunch of notices and a flurry of unnecessary activity every time > Puppet runs. Anyone have any ideas on who to create and manage users > without forcing them to have a shadow entry at all? > > Mark >-- Michael Gliwinski Henderson Group Information Services 9-11 Hightown Avenue, Newtownabby, BT36 4RT Phone: 028 9034 3319 ********************************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract. If you have received this email in error please notify support@henderson-group.com John Henderson (Holdings) Ltd Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT. Registered in Northern Ireland Registration Number NI010588 Vat No.: 814 6399 12 ********************************************************************************* --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I withdraw my question in shame :( Turns out one of my fellow madmins was overriding our new user creation calls and inserting a default password. Doh! Removing that solves the problem. On Aug 31, 6:18 am, Michael Gliwinski <Michael.Gliwin...@henderson- group.com> wrote:> Hi Mark, > > We also use the combination of AD/LDAP + Puppet and I just checked and I don''t > have any entries in shadow file for any AD users. I also checked the > provider code and in fact AFAICS it first checks if any changes need to be > applied (by comparing property values specified in manifest to values > returned by the provider). > > Note that in my manifests I only have user/group resources for those coming > from AD defined for dependency specification, without any attributes like UID > or GID set on them. > > What''s your usage of them looks like? > > BTW I''m running 0.24.8 on CentOS-5. > > Michael > > On Friday 28 August 2009 15:29:38 Gajillion wrote: > > > > > All, > > We use LDAP authentication against Active Directory on our Linux > > systems. If a user is not in AD, they don''t get into authenticated. > > We remove all AD authenticated user''s shadow entry to keep the shadow > > expirations from interfering with authentication. However, the "user" > > type in puppet insists that a user have a shadow entry and re-creates > > it on every run. This forces us to put another bit of code that > > removes the shadow entry that Puppet just added. > > > This gives us the functionality that we need, but it also creates a > > whole bunch of notices and a flurry of unnecessary activity every time > > Puppet runs. Anyone have any ideas on who to create and manage users > > without forcing them to have a shadow entry at all? > > > Mark > > -- > Michael Gliwinski > Henderson Group Information Services > 9-11 Hightown Avenue, Newtownabby, BT36 4RT > Phone: 028 9034 3319 > > ********************************************************************************************** > The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised. > If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. > When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract. > If you have received this email in error please notify supp...@henderson-group.com > > John Henderson (Holdings) Ltd > Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT. > Registered in Northern Ireland > Registration Number NI010588 > Vat No.: 814 6399 12 > *********************************************************************************--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---