puppet and LDAP users
TrevorPH
to be having much success. What I have in puppet.conf is this
[puppetmasterd]
ldapserver=ldap.myorg.company.com
ldapbase=dc=myorg,dc=org
ldapuser=cn=admin,dc=myorg,dc=org
ldappassword=mysecret
ldapparentattr=dc=myorg,dc=org
I added the ldapparentattr in desperation and doubt if it's actually
required. Now I have a class which says
user { "myuser":
uid => 500,
groups => myuser,
gid => 500,
ensure => present,
comment => "some info",
managehome => 'true',
home => "/home/myuser",
shell => "/bin/bash",
require => [ Group["myuser"] ]
}
and the message I get is this
[root@here]# puppetd --test --noop --tags users
info: Loading fact drbd
info: Retrieving facts
info: Loading fact drbd
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
err: Got an uncaught exception of type LDAP::ResultError: Invalid DN
syntax
notice: Finished catalog run in 4.01 seconds
I have tcpdump on port 389 running in another window and what I see is
that puppet seems to be trying to send commands to the LDAP server but
is missing the ldapbase info from everything - so it's sending things
like
uid=myuser,ou=People,
and missing dc=myorg,dc=org from it.
Does this look like I am missing anything critical or has anyone done
this before? I don't want to put my puppet nodes into LDAP but I do
have my linux authentication already running out of LDAP and ideally
am trying to get puppet to manage them for me.
Incidentally, in /usr/lib/ruby/site_ruby/1.8/puppet/provider/group/
ldap.rb ou=Groups appears to be hard coded but this is not where my
groups are defined in LDAP and the only way I could see to fix this
was to edit the file and hack it that way.
Running on Centos 5.2 with puppet-0.24.7-4.el5
Larry Ludwig
1. make sure ruby-ldap gem is installed
2. test via ldapsearch where puppetmasterd is installed
Also reviewing the wiki will also help:
http://www.reductivelabs.com/trac/puppet/wiki/LDAPNodes
-L
--
Larry Ludwig
Trevor Hemsley
> Hi two suggestions:
>
> 1. make sure ruby-ldap gem is installed
>
err: Could not prefetch user provider 'ldap': Could not set up LDAP
Connection: Missing ruby/ldap libraries
> 2. test via ldapsearch where puppetmasterd is installed
>
This works since I am using LDAP via pam to allow access to the systems.
But ldapsearch also works.
> Also reviewing the wiki will also help:
>
> http://www.reductivelabs.com/trac/puppet/wiki/LDAPNodes
>
The symptoms that I see are that puppet is not requesting a full DN
though. It's 'forgetting' to append ldapbase to the end of the query so
it's unsurprising that it is not working.
--
Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* 4th Floor, Tower Point,
44 North Road,
Brighton, BN1 1YR, UK
OFFICE +44 (0) 1273 666 350
FAX +44 (0) 1273 666 351
.................................................
www.calypso.com
This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.
* P * /*/ Please consider the environment before printing this e-mail /*/
Larry Ludwig
On Mar 1, 2009, at 4:09 PM, Trevor Hemsley wrote:
>
> Larry Ludwig wrote:
>> Hi two suggestions:
>>
>> 1. make sure ruby-ldap gem is installed
>>
> It is. On a different system without ruby-ldap installed I get
>
> err: Could not prefetch user provider 'ldap': Could not set up LDAP
> Connection: Missing ruby/ldap libraries
>
>>
> The symptoms that I see are that puppet is not requesting a full DN
> though. It's 'forgetting' to append ldapbase to the end of the query
> so
> it's unsurprising that it is not working.
>
Hmm in my openldap ldap.conf file I defined the base dn, I don't
remember if that was done for any specific reason.
I would check the source code to see if it helps you determine what
the error may be.
What version of Puppetmaster are you using on what platform, with what
LDAP?
At the moment I'm not sure what is the root cause of your error.
>
-L
--
Larry Ludwig
Trevor Hemsley
> Hmm in my openldap ldap.conf file I defined the base dn, I don't
> remember if that was done for any specific reason.
>
/etc/openldap/ldap.conf are listed below). ldapsearch -x works from the
command line on this system. One oddity about that is that ldapsearch -x
uses ldaps:// so talks encrypted on port 636 not plain text on port 389
- this is correct as far as I am concerned, I don't want plain text
communication. Puppet talks plain text on port 389 though.
> What version of Puppetmaster are you using on what platform, with what
> LDAP?
>
puppet-server-0.24.7-4.el5
[root@myhost]# cat /etc/redhat-release
CentOS release 5.2 (Final)
[root@myhost]# rpm -q openldap-servers
openldap-servers-2.3.27-8.el5_2.4
[root@myhost]# grep -v "^#" /etc/ldap.conf | grep -v "^$"
base dc=myorg,dc=org
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldaps://ldap.myorg.company.com/
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password crypt
[root@myhost]# cat /etc/openldap/ldap.conf
URI ldaps://ldap.myorg.company.com/
BASE dc=myorg,dc=org
TLS_CACERTDIR /etc/openldap/cacerts
[root@myhost]# ruby -rldap -e 'puts :installed'
installed
[root@myhost]# ruby -rpuppet -e 'p Puppet.features.ldap?'
true
Much experimentation later... fixed, I had to specify the ldapxxx =
parameters in the [puppetd] stanza of /etc/puppet/puppet.conf to make it
work. e.g
[puppetd]
ldapserver=ldap.myorg.company.com
ldapbase=dc=myorg,dc=org
ldapuser=cn=admin,dc=myorg,dc=org
ldappassword=mysecret
Larry Ludwig
On Mar 1, 2009, at 9:04 PM, Trevor Hemsley wrote:
>
> [puppetd]
> ldapserver=ldap.myorg.company.com
> ldapbase=dc=myorg,dc=org
> ldapuser=cn=admin,dc=myorg,dc=org
> ldappassword=mysecret
>
In my case it's in [puppetmasterd] but glad it works for you.
-L
--
Larry Ludwig
Luke Kanies
Heh, both of you should probably put it in main. :)
You need to either put it in main, the section named after the
environment, or the section named after the executable, and (here's
the key) you want it in the most general block possible.
If there's no harm in putting it in main, you should *always* do so.
Otherwise, only the named executable will have access to those settings.
--
Morgan's Second Law:
To a first approximation all appointments are canceled.
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
Larry Ludwig
On Mar 3, 2009, at 12:09 PM, Luke Kanies wrote:
>
> On Mar 1, 2009, at 9:27 PM, Larry Ludwig wrote:
>
>>
>>
>> On Mar 1, 2009, at 9:04 PM, Trevor Hemsley wrote:
>>
>>>
>>> [puppetd]
>>> ldapserver=ldap.myorg.company.com
>>> ldapbase=dc=myorg,dc=org
>>> ldapuser=cn=admin,dc=myorg,dc=org
>>> ldappassword=mysecret
>>>
>>
>>
>> In my case it's in [puppetmasterd] but glad it works for you.
>
>
> Heh, both of you should probably put it in main. :)
>
> You need to either put it in main, the section named after the
> environment, or the section named after the executable, and (here's
> the key) you want it in the most general block possible.
>
> If there's no harm in putting it in main, you should *always* do so.
>
> Otherwise, only the named executable will have access to those
> settings.
>
What other app in puppet uses LDAP?
-L
Luke Kanies
puppetmasterd looks in ldap for node information, and puppetd can
manage users and groups in ldap.
--
A lot of people mistake a short memory for a clear conscience.
-- Doug Larson