Bug #7911
Can't handle local users in LDAP environment
| Status: | Accepted | Start date: | 06/14/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | 3.X | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | ||||
| Votes: | 11 |
Description
Our environment (mostly RHEL) uses LDAP for user and group administration. Unfortunately, we have some cases where (broken) software insists on local users and groups. I’m guessing it’s checking the files directly instead of using the proper system calls.
Puppet won’t create the user locally, as it sees the user as already existing. RHEL does have local versions of the user and group management commands (luseradd, lusermod, etc). Would there be any implications to adding a ‘local’ provider for the user type that adds support for managing local users and groups in an environment where most accounts are managed remotely?
History
Updated by Jacob Helwig 11 months ago
Seems reasonable to add an luseradd provider to mirror the existing useradd provider, then it could be just another user resource in the manifest.
Updated by Jacob Helwig 11 months ago
- Status changed from Unreviewed to Accepted
- Target version set to 3.X
Updated by Chris Wiederkehr 11 months ago
We have the same problem. I’m just adding some info, so others who run into this issue know why this happens.
This is the error message you get if you want to locally remove a group which is defined in LDAP and dos not exist in the local /etc/group (anymore): //module/Group[goupname]/ensure) change from present to absent failed: Could not delete group keydist: Execution of ‘/usr/sbin/groupdel groupname’ returned 6: UX: groupdel: ERROR: groupdel does not exist.
The group type inherits from provider/nameservice.rb which relies on the ruby Etc module. And the Etc module uses getpwnam()/getgrnam() systemcalls. The systemcalls will look at your /etc/nsswitch.conf where ldap is defined as one of the group/user sources.
I hope this helps