Hi Dan, I understand your request, but I'm not sure it is best performed by the puppet agent directly. As you are not controlling from puppet which users exist on which servers, it would probably make sense to take a indirect approach and use puppet to ship a permission fixing script and a cron job calling it. So puppet would still be in control of the process, but would not directly fix the user's files. This has the additional advantage that the frequency of that check is not coupled to the frequency of the puppet agent running, but can happen more or less often depending on your requirements.
*If* you want to keep the permission checking inside the puppet agent run, my best bet would probably be a custom fact on the server that exports the name of all ldap users that have files on the system. You then could iterate over these users ($facts['ldap_users'].each | | ...) and go on from there. Depending on how many users you have and the amount of files you want to check you then also have to take the agent runtime into account. We once had a team that tried to ensure the file ownership/permissions on >100k files from puppet, we had to move that into a separate script because the agent runtime was not tolerable any more. Best regards Karsten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAL017hC8XXBLwQawp1qaMEUugD5rXbt5jy0BGic_tcwYkpML0w%40mail.gmail.com.