We''re using local passwd/shadow files on all our linux hosts for
authentication and manage them by defining virtual resources like the
following and realizing them in the appropriate classes based on
authorization requirements.
@user {
"username":
comment => "User Name",
uid => "65555",
password =>
''$9$5/PrhlML$AttWraRXLd0ASwCq.uIss1'',
home => "/home/username",
ensure => "present",
gid => "65555",
groups => ["groupname"],
shell => "/bin/sh",
managehome => true,
require => [Group["groupname"]],
membership => minimum;
}
Currently there is no way for me to directly tie puppet to ldap in our
environment (for various non technical reasons) but I would like to keep
the passwords synched with ldap. So I was thinking of writing a script
to query ldap and create perhaps a csv file containing username,password
hash, & shell values.
My questions is can I have my puppet manifests, like the snippet above,
grab the values for password and shell from an external file? ... a file
that I create from ldap every night? I found
"http://nephilim.ml.org/~rip/puppet/extlookup.rb" but also wanted to
ask
the community here if that''s the best way to go. Any ideas will be
appreciated.
Regards,
Sukh
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sukh,
To do this, I would recommend a cron job that populates a file on the
Puppet server readable by the puppet user.
I would then have a server function that uses the user name or uid to
collect the appropriate value from the file.
The main issue that I can see is that you''re going to have to find some
way to convert the LDAP password from whatever format it''s in to SHA or
MD5, depending on how you have your system set up.
If you have that worked out, you''re golden.
See http://reductivelabs.com/trac/puppet/wiki/WritingYourOwnFunctions
for information about writing functions.
Personally, I would put your function in a module instead of the
server''s lib directory.
You would then use something like:
@user {
"username":
comment => "User Name",
uid => "65555",
password => get_ldap_password(''user''),
home => "/home/username",
ensure => "present",
gid => "65555",
groups => ["groupname"],
shell => "/bin/sh",
managehome => true,
require => [Group["groupname"]],
membership => minimum;
}
Trevor
On 01/09/2010 02:14 PM, Sukh Khehra wrote:> We''re using local passwd/shadow files on all our linux hosts for
> authentication and manage them by defining virtual resources like the
> following and realizing them in the appropriate classes based on
> authorization requirements.
>
> @user {
> "username":
> comment => "User Name",
> uid => "65555",
> password =>
''$9$5/PrhlML$AttWraRXLd0ASwCq.uIss1'',
> home => "/home/username",
> ensure => "present",
> gid => "65555",
> groups => ["groupname"],
> shell => "/bin/sh",
> managehome => true,
> require => [Group["groupname"]],
> membership => minimum;
> }
>
> Currently there is no way for me to directly tie puppet to ldap in our
> environment (for various non technical reasons) but I would like to keep
> the passwords synched with ldap. So I was thinking of writing a script
> to query ldap and create perhaps a csv file containing username,password
> hash, & shell values.
>
> My questions is can I have my puppet manifests, like the snippet above,
> grab the values for password and shell from an external file? ... a file
> that I create from ldap every night? I found
> "http://nephilim.ml.org/~rip/puppet/extlookup.rb" but also wanted
to ask
> the community here if that''s the best way to go. Any ideas will be
> appreciated.
>
>
>
> Regards,
> Sukh
>
- --
Trevor Vaughan
Vice President, Onyx Point, Inc.
email: tvaughan@onyxpoint.com
phone: 410-541-ONYX (6699)
- -- This account not approved for unencrypted sensitive information --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAktI3RoACgkQyWMIJmxwHpQytACcCzZIjnsSdrXR9QEMnqFPFci8
tPcAn3731t7wOOhFCh22PagueL5DupHj
=s2mb
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for the double post...been out of it today. Personally, I wouldn''t bother with a CSV, I''d just use a flat file with two columns since it''s a single map. If you''re going to get complicated, you''ll probably want to use a local MySQL database or the like and pull the LDAP data into that. Trevor On 01/09/2010 02:14 PM, Sukh Khehra wrote:> We''re using local passwd/shadow files on all our linux hosts for<snip/> - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaughan@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktI3hMACgkQyWMIJmxwHpTKtwCggLC6w7ewksl5YpIAOiLmveMU BioAn2QgdFnKmDtCgkTu13wFM1G7gO0N =x2yA -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dear Sukh, I am siva kumar from India , I am new to the puppet and we are planing to deploy puppet in our env. and i m learning puppet and working in basic modules. However, i came across http://itand.me/using-puppet-to-manage-users-passwords-and-ss ... for user management in puppet. and i follwoed it to deploy and test in my test servers. But , the above post no fullfilling my require ment. Could you please share you user management Module with me it very usefull to me.. thanks in advance.. Regards, Siva Kumar . On Saturday, January 9, 2010 1:14:22 PM UTC-6, Sukh Khehra wrote:> We''re using local passwd/shadow files on all our linux hosts for > authentication and manage them by defining virtual resources like the > following and realizing them in the appropriate classes based on > authorization requirements. > > @user { > "username": > comment => "User Name", > uid => "65555", > password => ''$9$5/PrhlML$AttWraRXLd0ASwCq.uIss1'', > home => "/home/username", > ensure => "present", > gid => "65555", > groups => ["groupname"], > shell => "/bin/sh", > managehome => true, > require => [Group["groupname"]], > membership => minimum; > } > > Currently there is no way for me to directly tie puppet to ldap in our > environment (for various non technical reasons) but I would like to keep > the passwords synched with ldap. So I was thinking of writing a script > to query ldap and create perhaps a csv file containing username,password > hash, & shell values. > > My questions is can I have my puppet manifests, like the snippet above, > grab the values for password and shell from an external file? ... a file > that I create from ldap every night? I found > "http://nephilim.ml.org/~rip/puppet/extlookup.rb" but also wanted to ask > the community here if that''s the best way to go. Any ideas will be > appreciated. > > Regards, > Sukh > >On Saturday, January 9, 2010 1:14:22 PM UTC-6, Sukh Khehra wrote:> > We''re using local passwd/shadow files on all our linux hosts for > authentication and manage them by defining virtual resources like the > following and realizing them in the appropriate classes based on > authorization requirements. > > @user { > "username": > comment => "User Name", > uid => "65555", > password => ''$9$5/PrhlML$AttWraRXLd0ASwCq.uIss1'', > home => "/home/username", > ensure => "present", > gid => "65555", > groups => ["groupname"], > shell => "/bin/sh", > managehome => true, > require => [Group["groupname"]], > membership => minimum; > } > > Currently there is no way for me to directly tie puppet to ldap in our > environment (for various non technical reasons) but I would like to keep > the passwords synched with ldap. So I was thinking of writing a script > to query ldap and create perhaps a csv file containing username,password > hash, & shell values. > > My questions is can I have my puppet manifests, like the snippet above, > grab the values for password and shell from an external file? ... a file > that I create from ldap every night? I found > "http://nephilim.ml.org/~rip/puppet/extlookup.rb" but also wanted to ask > the community here if that''s the best way to go. Any ideas will be > appreciated. > > Regards, > Sukh > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/1zQCMDCuO9YJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.