Emilien
2012-Mar-06 10:24 UTC
[Puppet Users] Fetch ldap authorized_keys from ldap, copy to puppets local filesystem for needed users
Hello, I''m trying to set up the following environment: Ldap containing users as posixaccount (uid, home directory,.... and an attribute containing their ssh public key). machines with an attribute indicating which users or user groups are allowed to ssh to the box What I''d like to do is the following: From puppetmaster, browse the ldap and loop on each machine Fetch the users allowed to login Loop on each user Fetch their uid, etc Fetch their ssh public key create the /home/$username/.ssh/authorized_keys file End loop Delete /home/$username for all users having no longer access to the box End loop This is needed because ssh server on machines is configured only with publickey auth so I need to put the authorized_keys file for them to be able to connect to the box. I don''t really know where to start... I can manually create the authorized_key file on my puppet nodes but by manually specifying the user and the public key, I have to idea how to get the information from ldap and then loop in my script... I''ve tried looking at the documentation but don''t really know where to start. I''ve found the wiki page on defining nodes inside ldap but I''m not sure that this is what I need. Thanks for your time, Best regards, Emilien -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Craig White
2012-Mar-06 15:19 UTC
Re: [Puppet Users] Fetch ldap authorized_keys from ldap, copy to puppets local filesystem for needed users
On Mar 6, 2012, at 3:24 AM, Emilien wrote:> Hello, > > I''m trying to set up the following environment: > > Ldap containing > users as posixaccount (uid, home directory,.... and an attribute > containing their ssh public key). > machines with an attribute indicating which users or user groups are > allowed to ssh to the box > > What I''d like to do is the following: > > From puppetmaster, browse the ldap and > > loop on each machine > Fetch the users allowed to login > Loop on each user > Fetch their uid, etc > Fetch their ssh public key > create the /home/$username/.ssh/authorized_keys file > End loop > Delete /home/$username for all users having no longer access to the > box > End loop > > This is needed because ssh server on machines is configured only with > publickey auth so I need to put the authorized_keys file for them to > be able to connect to the box. > > I don''t really know where to start... I can manually create the > authorized_key file on my puppet nodes but by manually specifying the > user and the public key, I have to idea how to get the information > from ldap and then loop in my script... > > I''ve tried looking at the documentation but don''t really know where to > start. I''ve found the wiki page on defining nodes inside ldap but I''m > not sure that this is what I need. > > Thanks for your time,---- I don''t think that puppet is really the best tool for the job and that you should probably reexamine the mission and you will find that there are better implementations within LDAP (host based access). I suppose if you were really determined to go down your path, you could write some custom fact that gave you the output of ''ls /home'' to get an overview of who had home directories on each server but the puppet way would be to have each server to put everyone''s home directory (with public keys) and allow LDAP (PAM/PADL/LDAP) to handle whether a particular user access a particular host. Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.