William Leese
2013-Nov-14 07:50 UTC
[Puppet Users] User Management in LDAP/Kerberos (freeipa)
Hi, I''m faced with the question if we should be doing user management directly using freeipa (an integrated LDAP, Kerberos, CA, etc) or by manipulating freeipa using Puppet. Installation and configuration of the service is already performed through Puppet so this only concerns the data stored by freeipa (users, groups, sshkeys, sudo permissions, etc). Pros of puppet: - everything goes through source control - we love puppet Cons: - exposing all functionality is near impossible and thus the chances of the puppet config not being a perfect representation of the freeipa config is rather high I was wondering if fellow admins have faced this question and have any insights I should consider. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c0ad2090-2eae-4561-9b2d-4f31b6fe9b6e%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Brian Mathis
2013-Nov-14 16:58 UTC
Re: [Puppet Users] User Management in LDAP/Kerberos (freeipa)
Puppet is really meant for managing systems, not data. The data in LDAP is really more like database data, not so much as system information, even though many system services use it to get information. Consider if you would use Puppet to manage data (like web site content) in a MySQL database. You might use Puppet to create the table structure as part of the installation process, but not to revise the data itself. ❧ Brian Mathis On Thu, Nov 14, 2013 at 2:50 AM, William Leese <william.leese@meltwater.com>wrote:> Hi, > > I''m faced with the question if we should be doing user management directly > using freeipa (an integrated LDAP, Kerberos, CA, etc) or by manipulating > freeipa using Puppet. > Installation and configuration of the service is already performed through > Puppet so this only concerns the data stored by freeipa (users, groups, > sshkeys, sudo permissions, etc). > > Pros of puppet: > - everything goes through source control > - we love puppet > > Cons: > - exposing all functionality is near impossible and thus the chances of > the puppet config not being a perfect representation of the freeipa config > is rather high > > I was wondering if fellow admins have faced this question and have any > insights I should consider. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/c0ad2090-2eae-4561-9b2d-4f31b6fe9b6e%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CALKwpEypTcgHOAyk05uM%3DALsYui%2BLNKbw2BXfXx9_D1yrS_KQA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
William Leese
2013-Nov-15 02:30 UTC
Re: [Puppet Users] User Management in LDAP/Kerberos (freeipa)
> The data in LDAP is really more like database data, not so much as systeminformation I guess the question really evolves around this: despite the system configuration being stored in a datastore that provides infinitely amount of flexibility, do you continue to consider your system configuration data to fall under the domain of data management or system configuration management. Although neither one excludes puppet per se. Anyway, indeed I feel that the cons of using Puppet in this case weighs more than the pros. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAEFhNOs_hw98KfuLLq8n9ycC7c%3DHd4KnvWw%3DLEuUXxSrJiSyYA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.