To update this, I've worked with two clients who need to manage a local group in the event LDAP is down. The use case is this:
PAM is configured via /etc/security/access.conf to only allow certain groups to login to the system. Operations team members have local accounts which are not managed by Puppet. They are all a member of an "ops" group, which is defined in LDAP.
In the event LDAP is misbehaving, the ops team is unable to log into the machine to do maintenance becasue access.conf cannot resolve the + : ops : ALL rule and falls through to the default deny-all rule.
As a fallback mechanism, we want to define a group named "ops-local" which lists accounts who should always have maintenance access, even if LDAP is misbehaving.
We cannot do this in Puppet. This used to work in earlier versions of Puppet, and according to the documentation it should work with the membership field:
class opslocal {
|
group { ops-local:
|
ensure => present,
|
forcelocal => true,
|
gid => '12345',
|
members => ['jeff.mccune'],
|
provider => 'groupadd',
|
}
|
}
|
include opslocal
|
When Puppet runs, it creates the opslocal group but does not manage membership like it should and is documented to with the members parameter. Here is the result:
$ grep opslocal /etc/group
|
opslocal:x:50101:
|
|