ensure user and group created

[Tim Dunphy]

Hey all,

 I've created a puppet module to control LDAP in my environment. The ldap packages on both the centos and ubuntu hosts seem to require a user and group called 'ldap' (respectively).

in my ldap::install class I have the following defined:

user { "ldap":

    ensure => present,

  }

  group { "ldap":

    ensure => present,   }

But on each puppet run after the user and group is created the following error occurs: 

err: /Stage[main]/Ldap::Install/User[ldap]/ensure: change from absent to 

present failed: Could not create user ldap: Execution of '/usr/sbin/usera

dd -M ldap' returned 9: useradd: group ldap exists - if you want to add this user to that group, use -g.

Is there any way to achieve being able to create this user and group and avoid the error on each run thereafter?

Thanks

Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

[jcbollinger]

On Wednesday, February 26, 2014 4:17:05 PM UTC-6, bluethundr wrote:

Hey all,

 I've created a puppet module to control LDAP in my environment. The ldap packages on both the centos and ubuntu hosts seem to require a user and group called 'ldap' (respectively).

in my ldap::install class I have the following defined:

user { "ldap":

    ensure => present,

  }

  group { "ldap":

    ensure => present,   }

You may be overthinking this.  Certainly on CentOS and probably on Ubuntu, the standard OpenLDAP packages take care of ensuring the needed user and group configuration is setup up.

It is not entirely superfluous to manage them in Puppet as well if you're worried about them being removed later, but do note that the user and group may have standard UID and GID numbers, respectively, in each distribution, and that assigning them different ones may cause you grief.  Also note that these are generally a 'system' user and group, and as such they should take UID and GID numbers in a different (lower) range than than standard users and groups do.

Note also that your User declaration is probably underspecified.  In addition to declaring it a 'system' user, you should also declare that it must belong to group 'ldap'.  I suspect that doing so will resolve your problem, though if not doing so causes a problem then that constitutes a minor bug.  Feel free to file a ticket.
 

But on each puppet run after the user and group is created the following error occurs: 

err: /Stage[main]/Ldap::Install/User[ldap]/ensure: change from absent to 

present failed: Could not create user ldap: Execution of '/usr/sbin/usera

dd -M ldap' returned 9: useradd: group ldap exists - if you want to add this user to that group, use -g.

Is there any way to achieve being able to create this user and group and avoid the error on each run thereafter?

I'm confident that there is.  Try adding

  system => true

to both the User and the Group declaration, and adding

  gid => 'ldap'

to the group declaration.  Let us know how it works out.


John

[Ryan Anderson]

This was a known problem with earlier puppet releases where adding local users would fail if they existed in a network name service (LDAP, NIS, etc), so more recent 3.x puppet versions of the user resource have a 'forcelocal' option. Use this, and it will work.

On Wednesday, February 26, 2014 4:17:05 PM UTC-6, bluethundr wrote: