Having a brain storm this morning I had a thought. This can be dangerous at times. I have an infrastructure where I am moving user authentication to be LDAP based. Further I am working out how to create host groups in LDAP such that I can group which user can log into what hosts. For instance I have $users = [''tom'',''dick'',''jaine'',''harry'',''sally''] apple_host_users = [''tom'',''jane'',''sally''] bannana_host_users=[''dick'',''harry''] etc. Only instead of puppet arrays I''d be doing this in LDAP. Has anybody managed to come up with a class or define that would query an LDAP server for a hostgroup and create the home directories and apply a skeleton to those directories based on the users in the host group? I''m thinking this is probably going to have to be a custom fact... -- Peter L. Berghold Owner, Shark River Technical Solutions LLC -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Dec 12, 2011 at 3:24 PM, Peter Berghold <salty.cowdawg@gmail.com>wrote:> > Has anybody managed to come up with a class or define that would query an > LDAP server for a hostgroup and create the home directories and apply a > skeleton to those directories based on the users in the host group? >If you''re not using autofs for home directories then you''ll want to configure pam_mkhomedir so you''re ldap users homedirs are autocreated on first login. It take care of populating from a skel, sets umask, etc. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 12/12/11 12:41 PM, Darin Perusich wrote:> > On Mon, Dec 12, 2011 at 3:24 PM, Peter Berghold > <salty.cowdawg@gmail.com <mailto:salty.cowdawg@gmail.com>> wrote: > > > Has anybody managed to come up with a class or define that would > query an LDAP server for a hostgroup and create the home > directories and apply a skeleton to those directories based on the > users in the host group? > > > If you''re not using autofs for home directories then you''ll want to > configure pam_mkhomedir so you''re ldap users homedirs are autocreated > on first login. It take care of populating from a skel, sets umask, etc. >I have a similar situation - but I need puppet to enforce specific permissions on the home directory itself.> -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Peter, we used a different method here for linux hosts. We put the groups we want to grant access to in /etc/security/access.conf ; ala: [root@---]# egrep -v ^# /etc/security/access.conf - : ALL EXCEPT root admin pci_sysadmin pci_devadmin : ALL and then just add users to the group which permits access to the machines in question via ldap. [root@---]# id wnoble uid=9999(wnoble) gid=9999(pci_sysadmin) groups=77(puppet),9999(pci_sysadmin),9998(sysadmin) that was the cleanest way I found to do it, but ymmv W On Dec 12, 2011, at 2:24 PM, Peter Berghold wrote:> Having a brain storm this morning I had a thought. This can be dangerous at times. > > I have an infrastructure where I am moving user authentication to be LDAP based. Further I am working out how to create host groups in LDAP such that I can group which user can log into what hosts. For instance I have > > $users = [''tom'',''dick'',''jaine'',''harry'',''sally''] > > apple_host_users = [''tom'',''jane'',''sally''] > > bannana_host_users=[''dick'',''harry''] > etc. > > Only instead of puppet arrays I''d be doing this in LDAP. > > Has anybody managed to come up with a class or define that would query an LDAP server for a hostgroup and create the home directories and apply a skeleton to those directories based on the users in the host group? > > I''m thinking this is probably going to have to be a custom fact... > > > -- > Peter L. Berghold > Owner, Shark River Technical Solutions LLC > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.________________________________ This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/about-us-legal-email-disclaimer.htm for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Dec 12, 2011, at 5:42 PM, Wolf Noble wrote:> Hi Peter, > > we used a different method here for linux hosts. > We put the groups we want to grant access to in /etc/security/access.conf ; ala: > > [root@---]# egrep -v ^# /etc/security/access.conf > > - : ALL EXCEPT root admin pci_sysadmin pci_devadmin : ALL > > and then just add users to the group which permits access to the machines in question via ldap. > > [root@---]# id wnoble > uid=9999(wnoble) gid=9999(pci_sysadmin) groups=77(puppet),9999(pci_sysadmin),9998(sysadmin) > > that was the cleanest way I found to do it, but ymmv---- I think the cleanest way to do it is to use ''pam_check_host_attr yes'' in /etc/ldap.conf and then you would have to configure each user''s attributes for each host that you would allow him/her to access. That surely beats maintaining the access.conf on each machine - as in, why would you maintain users/groups in LDAP but manage access on each machine? Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Dec 13, 2011 at 09:58:06AM -0700, Craig White wrote:> > On Dec 12, 2011, at 5:42 PM, Wolf Noble wrote: > > > Hi Peter, > > > > we used a different method here for linux hosts. > > We put the groups we want to grant access to in /etc/security/access.conf ; ala:We use puppet to template /etc/nslcd.conf (from nss-pam-ldapd) with the ldap filter which describes the groups associated with the machine.> > [root@---]# egrep -v ^# /etc/security/access.conf > > > > - : ALL EXCEPT root admin pci_sysadmin pci_devadmin : ALL > > > > and then just add users to the group which permits access to the machines in question via ldap. > > > > [root@---]# id wnoble > > uid=9999(wnoble) gid=9999(pci_sysadmin) groups=77(puppet),9999(pci_sysadmin),9998(sysadmin) > > > > that was the cleanest way I found to do it, but ymmv > ---- > I think the cleanest way to do it is to use ''pam_check_host_attr yes'' in /etc/ldap.conf and then you would have to configure each user''s attributes for each host that you would allow him/her to access. That surely beats maintaining the access.conf on each machine - as in, why would you maintain users/groups in LDAP but manage access on each machine? > > Craig > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.