Betsy Schwartz
2014-Jul-13 20:01 UTC
[Puppet Users] Best Practice - replacing /etc/passwd and +@netgroups
We're running primarily RHEL6, and Puppet Enterprise 3.2 In our non-puppetized world, we make heavy use of netgroups (stored in ldap, entered in /etc/passwd) to control access to servers. There's been much discussion and some confusion about the best way to control user access going forwards. The ldap netgroups are also used for sudoers permissions. It feels like this is a very "vanilla" way to use password files and netgroups. Does someone here have a good way to manage this, or a better idea? The primary puppet programmer in our group starting working with the forge accounts module, but fell down a rathole because RHEL6 default system accounts have multiple users with the same home directory and the forge module wouldn't accommodate that. I don't want to spend a huge amount of time and effort coding around accommodating RHEL system user accounts that never, ever, change. My gut instinct is that we should find some way (Augeas?) to assemble /etc/passwd accounts from a default set of text entries plus some custom lines for each server. If we don't come up with a better idea we're going to end up pushing password files out as *files*, which I understand is not the DevOps Puppet Way but it's better than what we're doing now. Is this, indeed, a Solved Problem? What is everyone else doing? thanks Betsy -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAVLHR0awkix5179S3bvjOGJ%2Bng-7aBg0FAXQQRApjfxr6Z0uw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.