Hi All
I have just published a module that synchronises users and groups from
Active Directory into a Puppet manifest, which can then be rolled out to
subscribed agents/workstations. The module maintains generated uids and
gids in an SQLite database. It has only been tested on Puppet Enterprise
2.6.1 and RHEL 6.3 so far, at my end.
The module is called lpep and you can view it at
http://forge.puppetlabs.com/new23d/lpep
It would be great if I can find some users who would be interested in
testing this module! For your reference, I am copying the contents of its
README file here.
=======
lpep
LDAP passwd Enumerator for Puppet
Purpose
-------
Add users and groups from Active Directory to your Red Hat 6.x compatible
systems
License
-------
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License
Setup
-----
On Red Hat 6.x compatible systems:
(1) command: yum install pam_ldap
(2) command: authconfig --enableldapauth
--ldapserver="ldap://ad.example.com"
--ldapbasedn="dc=example,dc=com"
--updateall
(3) in /etc/pam_ldap.conf, add the following lines towards the end
binddn cn=foo,ou=bar,dc=example,dc=com
bindpw fubar
pam_login_attribute sAMAccountName
In the lpep module:
(1) edit manifests/lpep.ini to configure ldap settings
(2) ensure bin/lpep.py is executable
(3) ensure manifests/lpep.pp , bin/lpep.db and bin/profiling.log are
writable
Known Issues
------------
(1) objects are tracked only by their username (or sAMAccountName) and not
by SID, therefore if a username were to change, that would generate a new
numeric uid
(2) objects are not removed from the target system''s local user
database,
but if the ldap authentication were to fail, the user won''t be able to
login anyway
(3) limited to upto 1000 objects from active directory
Notes
-----
(1) objects are stored in a local sqlite database, and the numeric uids and
gids retained
(2) coded originally for domino ldap, therefore the routines may not be
ideal for active directory
=======
The module actually calls a Python script and is a bit of a hack. Apologies
for that and I do intend to polish it up over time if the concept in which
it tackles the problem gains acceptance, i.e. locally created users and
groups with remote LDAP authentication.
Thanks
new23d
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/wd6zBzRnA1MJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
