headers
TrevorPH | 1 Mar 2009 12:53

[Puppet Users] puppet and LDAP users


I am trying to get puppet to manage my LDAP users but I don't appear
to be having much success. What I have in puppet.conf is this

[puppetmasterd]
        ldapserver=ldap.myorg.company.com
        ldapbase=dc=myorg,dc=org
        ldapuser=cn=admin,dc=myorg,dc=org
        ldappassword=mysecret
        ldapparentattr=dc=myorg,dc=org

I added the ldapparentattr in desperation and doubt if it's actually
required. Now I have a class which says

        user { "myuser":
                uid => 500,
                groups => myuser,
                gid => 500,
                ensure => present,
                comment => "some info",
                managehome => 'true',
                home => "/home/myuser",
                shell => "/bin/bash",
                require => [ Group["myuser"] ]
                }

and the message I get is this

[root <at> here]# puppetd --test --noop --tags users
info: Loading fact drbd
(Continue reading)

Permalink | Reply | 8 comments |
headers
Larry Ludwig | 1 Mar 2009 14:29
Favicon

[Puppet Users] Re: puppet and LDAP users


Hi two suggestions:

1. make sure ruby-ldap gem is installed
2. test via ldapsearch where puppetmasterd is installed

Also reviewing the wiki will also help:

http://www.reductivelabs.com/trac/puppet/wiki/LDAPNodes

-L

--
Larry Ludwig

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Permalink | Reply | 7 comments |
headers
Trevor Hemsley | 1 Mar 2009 22:09

[Puppet Users] Re: puppet and LDAP users


Larry Ludwig wrote:
> Hi two suggestions:
>
> 1. make sure ruby-ldap gem is installed
>   
It is. On a different system without ruby-ldap installed I get

err: Could not prefetch user provider 'ldap': Could not set up LDAP
Connection: Missing ruby/ldap libraries

> 2. test via ldapsearch where puppetmasterd is installed
>   
This works since I am using LDAP via pam to allow access to the systems.
But ldapsearch also works.
> Also reviewing the wiki will also help:
>
> http://www.reductivelabs.com/trac/puppet/wiki/LDAPNodes
>   
The symptoms that I see are that puppet is not requesting a full DN
though. It's 'forgetting' to append ldapbase to the end of the query so
it's unsurprising that it is not working.

--

-- 

Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* 4th Floor, Tower Point,
(Continue reading)

Permalink | Reply | 6 comments |
headers
Robin Lee Powell | 2 Mar 2009 00:36

[Puppet Users] "Rails is missing"... What?


On all 3 of my servers, after a routine aptitude upgrade, I'm now
getting:

    ec2-www1# puppetd -tv
    info: Retrieving plugins
    info: Retrieving facts
    err: Could not retrieve catalog: Rails is missing; cannot store configurations
    warning: Not using cache on failed catalog

When I went to restart puppetmasterd on the master, I got what I
assume is the explanation:

    Failed to load feature test for rails: undefined method `synchronize' for ActiveRecord::ConnectionAdapters::ConnectionPool:Class

I guess some library changed, but I really don't know enough about
Rails to guess which one, and I haven't seen anything that looks
helpful in google yet.

-Robin

--

-- 
They say:  "The first AIs will be built by the military as weapons."
And I'm thinking:  "Does it even occur to you to try for something
other than the default outcome?" -- http://shorl.com/tydruhedufogre
http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
(Continue reading)

Permalink | Reply | 7 comments |
headers
Larry Ludwig | 2 Mar 2009 01:34
Favicon

[Puppet Users] Re: puppet and LDAP users


On Mar 1, 2009, at 4:09 PM, Trevor Hemsley wrote:

>
> Larry Ludwig wrote:
>> Hi two suggestions:
>>
>> 1. make sure ruby-ldap gem is installed
>>
> It is. On a different system without ruby-ldap installed I get
>
> err: Could not prefetch user provider 'ldap': Could not set up LDAP
> Connection: Missing ruby/ldap libraries
>
>>
> The symptoms that I see are that puppet is not requesting a full DN
> though. It's 'forgetting' to append ldapbase to the end of the query  
> so
> it's unsurprising that it is not working.
>

Hmm in my openldap ldap.conf file I defined the base dn, I don't  
remember if that was done for any specific reason.

I would check the source code to see if it helps you determine what  
the error may be.

What version of Puppetmaster are you using on what platform, with what  
LDAP?
(Continue reading)

Permalink | Reply | 5 comments |
headers
Trevor Hemsley | 2 Mar 2009 03:04

[Puppet Users] Re: puppet and LDAP users (SOLVED)


Larry Ludwig wrote:
> Hmm in my openldap ldap.conf file I defined the base dn, I don't  
> remember if that was done for any specific reason.
>   
I have the base dn defined in both ldap.conf files (/etc/ldap.conf and
/etc/openldap/ldap.conf are listed below). ldapsearch -x works from the
command line on this system. One oddity about that is that ldapsearch -x
uses ldaps:// so talks encrypted on port 636 not plain text on port 389
- this is correct as far as I am concerned, I don't want plain text
communication. Puppet talks plain text on port 389 though.
> What version of Puppetmaster are you using on what platform, with what  
> LDAP?
>   
[root <at> myhost]# rpm -q puppet-server
puppet-server-0.24.7-4.el5

[root <at> myhost]# cat /etc/redhat-release
CentOS release 5.2 (Final)

[root <at> myhost]# rpm -q openldap-servers
openldap-servers-2.3.27-8.el5_2.4

[root <at> myhost]# grep -v "^#" /etc/ldap.conf | grep -v "^$"
base dc=myorg,dc=org
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
(Continue reading)

Permalink | Reply | 4 comments |
headers
chakkerz | 2 Mar 2009 03:42
Picon

[Puppet Users] Re: too many open files


Hans pointed out that pfiles on the client might be an idea. If i
watch it, i get to 255 open files before it tanks.

Cheers
chakkerz
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Permalink | Reply | 0 comments |
headers
Larry Ludwig | 2 Mar 2009 04:27
Favicon

[Puppet Users] Re: puppet and LDAP users (SOLVED)


On Mar 1, 2009, at 9:04 PM, Trevor Hemsley wrote:

>
> [puppetd]
> ldapserver=ldap.myorg.company.com
> ldapbase=dc=myorg,dc=org
> ldapuser=cn=admin,dc=myorg,dc=org
> ldappassword=mysecret
>

In my case it's in [puppetmasterd] but glad it works for you.

-L

--
Larry Ludwig

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Permalink | Reply | 3 comments |
headers
Avi Miller | 2 Mar 2009 04:35
Picon
Gravatar

[Puppet Users] Using Augeas type to update sshd_config's AllowGroups


Hey gang,

I seem to be having a brain disconnect on how to get the Augeas type to 
manage things that have multiple values (i.e. an Augeas tree) via Puppet.

If I run this in augtool:

augtool> set /files/etc/ssh/sshd_config/AllowGroups/1000 sshuser
augtool> save

I see this in /etc/ssh/sshd_config:

AllowGroups     sshuser

However, if I try this in an Augeas type:

augeas { "sshd_conf_group_sshuser":
    context => "/files/etc/ssh/sshd_config",
    changes => "set /files/etc/ssh/sshd_config/AllowGroups/10000 sshuser",
}

I get the following errors from puppetd:

info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
/usr/share/augeas/lenses/sshd.aug:20.7-.37:Short split for concat
err:

//Node[testnode]/ssh/Ssh::Sshd_conf_group[sshuser]/Augeas[sshd_conf_group_sshuser]/returns:
(Continue reading)

Permalink | Reply | 31 comments |
headers
Sebastian Krueger | 2 Mar 2009 04:46
Picon
Gravatar

[Puppet Users] problem changing group membership for linux users

Hi list,

I want the ensure that the eaiadmin user is always a member of the users group. I use the following configuration:

class baseusers {
    include virt_groups, virt_users

    realize(
        Group["eaiadmin"],
        Group["users"]
    )

    realize(
        User["eaiadmin"]
    )

}

class virt_users {
        <at> user { "eaiadmin":
                gid    => "30",
                ensure => present,
                groups => [ "users" ]
        }
}

class virt_groups {
        <at> group { "eaiadmin":
                gid     => "30",
                ensure  => present
        }
        <at> group { "users":
                gid     => "100",
                ensure  => present
        }
}

This works well, however it looks like the setting is applied everytime, regardless if the eaiadmin user is already in the users group.

Here a snippet from the log:

Mar  2 16:36:42 eaisoa-kbp-a4dk puppetd[3327]: (//Node[basenode]/baseusers/virt_users/User[eaiadmin]) Changing groups
Mar  2 16:36:42 eaisoa-kbp-a4dk puppetd[3327]: (//Node[basenode]/baseusers/virt_users/User[eaiadmin]) 1 change(s)
Mar  2 16:36:43 eaisoa-kbp-a4dk puppetd[3327]: (User[eaiadmin](provider=useradd)) Executing '/usr/sbin/usermod -G users eaiadmin'
Mar  2 16:36:44 eaisoa-kbp-a4dk shadow[28443]: account removed from group - account=eaiadmin, group=users, gid=100, by=0
Mar  2 16:36:44 eaisoa-kbp-a4dk shadow[28443]: account removed from group - account=eaiadmin, group=users, gid=100, by=0
Mar  2 16:36:44 eaisoa-kbp-a4dk shadow[28443]: account added to group - account=eaiadmin, group=users, gid=100, by=0
Mar  2 16:36:44 eaisoa-kbp-a4dk puppetd[3327]: (//Node[basenode]/baseusers/virt_users/User[eaiadmin]/groups) groups changed 'users,users' to 'users'

Why does it show 'users,users' to 'users'? Is this a bug with the groupadd provider? For some reason puppet thinks that eaiadmin is not a member of the users group, even though it is.

Regards, Sebastian.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Permalink | Reply | 10 comments |

Gmane