> On Aug 13, 2019, at 9:30 PM, Garrett Honeycutt <g...@garretthoneycutt.com> > wrote: > >> On 8/13/19 6:10 PM, 'Dan White' via Puppet Users wrote: >> On Aug 13, 2019, at 9:04 PM, 'Dan White' via Puppet Users >> <puppet-users@googlegroups.com <mailto:puppet-users@googlegroups.com>> >> wrote: >> >>> Is there any current documentation about how to create user resources >>> with an ldap provider ? >> >> Let me be a bit more specific on this question. I am looking for the >> setup details to allow Puppet to get the user information from ldap. I >> am guessing this is a “read-only” thing and that the user must exist in >> ldap before Puppet can use it. > > Hi Dan, > > Surprised by this idea and curious about your use case. Puppet is better > for modeling resources on a system as opposed to data in an external > database, which is what users are in LDAP. Normally you would use Puppet > to manage local users as well as the setup necessary for nsswitch, > sssd/nscd and pam so the system can resolve users and groups from LDAP. > > Best regards, > -g > > -- > Garrett Honeycutt > Tailored Automation > https://tailoredautomation.io
Hi, Garret The use case is simple. Centralized credentials in LDAP. Minimal local accounts other than system and service users and a non-root admin login with sudo permissions as an emergency back door. We also have lots of appliances, applications, and network devices that can use LDAP or RADIUS for authentication. I found multiple references for a FreeRADIUS service with the credentials in LDAP. I see the PE documentation about connecting to an external directory service, but it looks like that is only for PE console users and not for Puppet managed node user accounts. If I set up the system as you describe with sssd/nsswitch/pam for users defined in LDAP, can I then just create appropriate user resources with “provider => ldap” and expect the login to be created on the node server ? Or is it like with FreeIPA where you just log in with the LDAP credentials and your home directory is created the first time ? —————————————————————————————————- "Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us." Bill Waterson (Calvin & Hobbes) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/B780B986-9561-4272-912E-F7173026612C%40icloud.com.
