User Management from LDAP / freeipa
125 views
Skip to first unread message
Dan White
Feb 6, 2017, 9:33:46 AM2/6/17
to puppet...@googlegroups.com
I am trying to figure out if I can do any user management from Puppet for users initially managed by Red Hat's Identity Manager (freeipa / ldap)
Here is a code snippet I tried:
# Class: wtf
#
class wtf {
if defined( User["dewhite"] ) {
$foo = User["dewhite"]["home"]
notify { "->${foo}<-": }
} else {
notify { "woof": }
user { 'dewhite':
ensure => 'present',
}
}
}
#
class wtf {
if defined( User["dewhite"] ) {
$foo = User["dewhite"]["home"]
notify { "->${foo}<-": }
} else {
notify { "woof": }
user { 'dewhite':
ensure => 'present',
}
}
}
The dewhite user is defined - and Puppet can "see" it :
[root ~]# puppet resource user dewhite
user { 'dewhite':
ensure => 'present',
comment => 'Daniel White',
gid => '684400001',
home => '/home/dewhite',
shell => '/bin/bash',
uid => '684400001',
}
user { 'dewhite':
ensure => 'present',
comment => 'Daniel White',
gid => '684400001',
home => '/home/dewhite',
shell => '/bin/bash',
uid => '684400001',
}
but I always get the "else" half of the manifest.
My goal is to add things like dot-files and such.
I want to either be able to detect the existance of an LDAP created user or I would like to be able to manage the freeipa/LDAP users from Puppet.
Any ideas ?
Dan White | d_e_...@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
Christopher Wood
Feb 6, 2017, 9:58:39 AM2/6/17
to puppet...@googlegroups.com
The defined function is more about whether something is defined in the catalog, if I recall correctly.
https://docs.puppet.com/puppet/latest/function.html#defined
This sounds like something for a custom fact which returns a list of users found on the system. You may have to do an ldapsearch from the custom fact to get the DNs to translate into usernames. Then your manifest can manage the dotfiles based on the user list.
However, in your place I might consider a login script which checked for the existence of dotfiles and then copied them over (plus a $HOME/.dot_file_copy_done sort of lockfile) on first login. That way you don't need convoluted manifest code to figure out users, and you won't accidentally overwrite anybody's custom dotfiles. People can get generic dotfiles by removing the lockfile. From the end user perspective I've had the same dotfiles for many years and I don't want my $HOME customizations interfered with.
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f94a885e-9266-405d-9513-b3f86da59971%40me.com.
> For more options, visit https://groups.google.com/d/optout.
https://docs.puppet.com/puppet/latest/function.html#defined
This sounds like something for a custom fact which returns a list of users found on the system. You may have to do an ldapsearch from the custom fact to get the DNs to translate into usernames. Then your manifest can manage the dotfiles based on the user list.
However, in your place I might consider a login script which checked for the existence of dotfiles and then copied them over (plus a $HOME/.dot_file_copy_done sort of lockfile) on first login. That way you don't need convoluted manifest code to figure out users, and you won't accidentally overwrite anybody's custom dotfiles. People can get generic dotfiles by removing the lockfile. From the end user perspective I've had the same dotfiles for many years and I don't want my $HOME customizations interfered with.
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f94a885e-9266-405d-9513-b3f86da59971%40me.com.
> For more options, visit https://groups.google.com/d/optout.
Dan White
Feb 6, 2017, 10:03:12 AM2/6/17
to puppet...@googlegroups.com
Thanks for the idea.
I will tinker and report back.
"Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20170206145826.GA7346%40iniquitous.heresiarch.ca.
Thomas Müller
Feb 7, 2017, 12:59:36 AM2/7/17
to Puppet Users
IMHO sounds like a job for pam_mkhomedir (https://linux.die.net/man/8/pam_mkhomedir) and not for puppet.
- Thomas
bert hajee
Feb 7, 2017, 7:03:51 AM2/7/17
to Puppet Users
Dan,
We recently developed a puppet custom type to manage users inside a LDAP directory. Here you can find some documentation. It is a commercial module, but free in development and free in production up to 50 manageable entries. Maybe this can help you.
Regards,
Bert Hajee
Dan White
Feb 7, 2017, 11:17:47 AM2/7/17
to puppet...@googlegroups.com
I am not trying to manage users.
I am trying to INTELLIGENTLY push out things like dot-files, but Puppet cannot "see" IdM created users.
"Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4598a137-b64f-44de-8b2d-017071a5bab6%40googlegroups.com.
Thomas
Feb 7, 2017, 11:25:05 AM2/7/17
to puppet...@googlegroups.com
Am 7. Februar 2017 17:17:30 MEZ schrieb Dan White <d_e_...@icloud.com>:
>I am not trying to manage users.
>I am trying to INTELLIGENTLY push out things like dot-files, but Puppet
>cannot "see" IdM created users.
>
It doesnt seem to me like a best practice to manage $HOME/ files.
Rob Nelson
Feb 7, 2017, 3:06:56 PM2/7/17
to puppet...@googlegroups.com
Remember that `if User['x]` is not looking to see if the user x exists, but whether or not you have a resource of type User with the title 'x'. In other words, it checks to see if you declared `user{ 'x': ... }` somewhere in your manifests. Puppet ONLY manages those things that you tell it to, hence why you hit the else branch every time.
I will also second the idea that managing home directories with external users is not necessarily the best way to proceed. Your IdM platform may offer a way to do network profiles, or you can use NFS or similar to provide them on machines. Those are likely better approaches to investigate in the long term.To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4598a137-b64f-44de-8b2d-017071a5bab6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/65A12138-E4F3-47DD-A069-3FFF34D20BCB%40icloud.com.
Dan White
Feb 7, 2017, 3:14:15 PM2/7/17
to puppet...@googlegroups.com
Thanks for the info, Rob.
NFS is an option, but I need to see if it will be permitted by the Security 🚨 Folks.
"Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT8og2SfZZDLUZ95NezjLXy2cJSF%2Bi6TH_%3D6YBGhS2v3qg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages