Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-15 Thread jcbollinger 


On Wednesday, August 14, 2019 at 9:05:24 AM UTC-5, LinuxDan wrote:
 

> Your response makes perfect sense.  I am planning to use FreeIPA/Red Hat 
> Identity Manager which uses SSSD to do everything you describe for your 
> house.
>
> I want to be able to manage aspects of the user home directories for 
> hardening purposes - permissions, no dot-netrc files, that sort of thing.
>
>
To the best of my knowledge and my ability to interpret the docs, User 
resources don't provide for any such thing, nor are they a prerequisite for 
such management.

 

> In your experience, is it possible for an LDAP-authenticating login to 
> have a user resource at all ?  If not, I will have to consider a shotgun 
> approach to the home-dir management.
>


It ought to be *possible*, but I don't think it would be *useful* for a 
system with an effectively read-only user database.

If your idea is to have a list of users for each machine under management, 
then User resources do not advance that objective -- it is easier and 
better to represent a prescriptive user list in external data, and if you 
want to expose that for use by multiple classes then a class variable will 
serve that purpose nicely (and in fact, I do exactly that).  If you're 
looking instead for an adaptive list, of users who are observed to have 
home directories on the system, say, then a custom fact is definitely the 
way to go.

I note, however, that although I know and manage which users are authorized 
to log in to each of my machines, I do not manage the permissions on or 
contents of their home directories.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cbc79ece-7582-439c-b8b4-1d8be708e2a4%40googlegroups.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-15 Thread Karsten Heymann 
Hi Dan,

I understand your request, but I'm not sure it is best performed by
the puppet agent directly. As you are not controlling from puppet
which users exist on which servers, it would probably make sense to
take a indirect approach and use puppet to ship a permission fixing
script and a cron job calling it. So puppet would still be in control
of the process, but would not directly fix the user's files. This has
the additional advantage that the frequency of that check is not
coupled to the frequency of the puppet agent running, but can happen
more or less often depending on your requirements.

*If* you want to keep the permission checking inside the puppet agent
run, my best bet would probably be a custom fact on the server that
exports the name of all ldap users that have files on the system. You
then could iterate over these users ($facts['ldap_users'].each | |
...) and go on from there. Depending on how many users you have and
the amount of files you want to check you then also have to take the
agent runtime into account. We once had a team that tried to ensure
the file ownership/permissions on >100k files from puppet, we had to
move that into a separate script because the agent runtime was not
tolerable any more.

Best regards
Karsten

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAL017hC8XXBLwQawp1qaMEUugD5rXbt5jy0BGic_tcwYkpML0w%40mail.gmail.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-14 Thread 'Dan White' via Puppet Users 

I believe I am going to abandon user resources with an ldap provider, because I 
cannot get it to even attempt a connection.
I tried to create a user on the puppet server itself using "puppet apply"
The output of the run complains that
   Provider ldap is not functional on this host
and
   Could not find library 'ldap' required to enable feature 'ldap'

I tried to find what library it was missing. I installed some gems -- ruby-ldap 
and net-ldap -- but they did not help.  I found references to a ruby-ldap gem, 
but I cannot install it without creating a complete gem development environment.

It would appear that the LDAP provider has died of neglect  ;(

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/10d837b0-3a1b-46b2-94fe-407c2c1c4d91%40me.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-14 Thread 'Dan White' via Puppet Users 

On August 14, 2019 at 9:01 AM, jcbollinger  wrote:
Why would you not want to write to the data store backing your User resources?  
If you cannot write, then you cannot manage resources -- neither create new 
ones nor modify existing ones nor remove unwanted ones.  These things are what 
User resources are for.  Without being able to write, the most you could do is 
use dependencies on User resources to cause other resources not to be applied 
in the event that a User configuration does not match your expectation.

If you simply want to configure systems to authenticate users against an LDAP 
directory and draw their information from there, then User resources are the 
wrong approach.  For Linux, at least, you may want to look into configuring 
systems for LDAP itself, or for SSSD.  You will probably want to manage 
nsswitch.conf, too.  There are available modules for all these things.  If 
you're looking to manage system-level access control, too, then you probably 
still want to come from that direction.

In my own house, for example, I authenticate Linux users against institutional 
Active Directory with use of SSSD (the managed machines are domain-joined).  I 
manage which users are permitted to log in to which machines through SSSD 
configuration, not User resources.  That approach can work for other data 
sources, too -- in particular, SSSD supposedly can work (directly) with LDAP 
directories, though I've never configured it that way.


John

Hi, John

Your response makes perfect sense.  I am planning to use FreeIPA/Red Hat 
Identity Manager which uses SSSD to do everything you describe for your house.

I want to be able to manage aspects of the user home directories for hardening 
purposes - permissions, no dot-netrc files, that sort of thing.

In your experience, is it possible for an LDAP-authenticating login to have a 
user resource at all ?  If not, I will have to consider a shotgun approach to 
the home-dir management.

Thanks for the information

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

 

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/23d54e89-0106-43eb-812a-50c450d95fa2%40me.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-14 Thread jcbollinger 


On Wednesday, August 14, 2019 at 5:35:13 AM UTC-5, LinuxDan wrote:
>
> On August 14, 2019 at 5:15 AM, Martin Alfke  > wrote:
>
> Hi Dan,
>
> On 14. Aug 2019, at 04:12, 'Dan White' via Puppet Users <
> puppet...@googlegroups.com > wrote:
>
>
> On Aug 13, 2019, at 9:30 PM, Garrett Honeycutt  > wrote:
>
>
> On 8/13/19 6:10 PM, 'Dan White' via Puppet Users wrote:
>
> On Aug 13, 2019, at 9:04 PM, 'Dan White' via Puppet Users
>
>   puppet...@googlegroups.com >>
>
> wrote:
>
>
> Is there any current documentation about how to create user resources
>
> with an ldap provider ?
>
>
> Let me be a bit more specific on this question. I am looking for the
>
> setup details to allow Puppet to get the user information from ldap. I
>
> am guessing this is a “read-only” thing and that the user must exist in
>
> ldap before Puppet can use it.
>
>
> Hi Dan,
>
>
> Surprised by this idea and curious about your use case. Puppet is better
>
> for modeling resources on a system as opposed to data in an external
>
> database, which is what users are in LDAP. Normally you would use Puppet
>
> to manage local users as well as the setup necessary for nsswitch,
>
> sssd/nscd and pam so the system can resolve users and groups from LDAP.
>
>
> Best regards,
>
> -g
>
>
> --
>
> Garrett Honeycutt
>
> Tailored Automation
>
> https://tailoredautomation.io
>
>
> Hi, Garret
>
>
> The use case is simple.
>
> Centralized credentials in LDAP.
>
> Minimal local accounts other than system and service users and a non-root 
> admin login with sudo permissions as an emergency back door.
>
>
> We also have lots of appliances, applications, and network devices that 
> can use LDAP or RADIUS for authentication. I found multiple references for 
> a FreeRADIUS service with the credentials in LDAP.
>
>
> I see the PE documentation about connecting to an external directory 
> service, but it looks like that is only for PE console users and not for 
> Puppet managed node user accounts.
>
>
> Yes. PE external directory refers to PE console logins only.
>
>
> If I set up the system as you describe with sssd/nsswitch/pam for users 
> defined in LDAP, can I then just create appropriate user resources with 
> “provider => ldap” and expect the login to be created on the node server ? 
> Or is it like with FreeIPA where you just log in with the LDAP credentials 
> and your home directory is created the first time ?
>
>
> You can use the provider ldap to manage users in ldap:
> https://puppet.com/docs/puppet/6.6/types/user.html#user-provider-ldap
>
> "This provider requires that you have valid values for all of the 
> LDAP-related settings in puppet.conf, including ldapbase. You will almost 
> definitely need settings for ldapuser and ldappassword in order for your 
> clients to write to LDAP."
>
> I would try to use that config on a single system with write access to 
> your ldap master.
>
> Any other system should just be configured to make use of pam_ldap/sssd 
> using a module from puppet forge:
> e.g. https://forge.puppet.com/sgnl05/sssd
>
> hth,
> Martin
>
>
> ?? Write to LDAP ??  What would it be writing ?  Like I said above: 
>
> I am guessing this is a “read-only” thing and that the user must exist in 
> ldap before Puppet can use it.
>
>

Why would you *not* want to write to the data store backing your User 
resources?  If you cannot write, then you cannot manage resources -- 
neither create new ones nor modify existing ones nor remove unwanted ones.  
These things are what User resources are for.  Without being able to write, 
the most you could do is use dependencies on User resources to cause other 
resources not to be applied in the event that a User configuration does not 
match your expectation.

If you simply want to configure systems to authenticate users against an 
LDAP directory and draw their information from there, then User resources 
are the wrong approach.  For Linux, at least, you may want to look into 
configuring systems for LDAP itself, or for SSSD.  You will probably want 
to manage nsswitch.conf, too.  There are available modules for all these 
things.  If you're looking to manage system-level access control, too, then 
you probably still want to come from that direction.

In my own house, for example, I authenticate Linux users against 
institutional Active Directory with use of SSSD (the managed machines are 
domain-joined).  I manage which users are permitted to log in to which 
machines through SSSD configuration, not User resources.  That approach can 
work for other data sources, too -- in particular, SSSD supposedly can work 
(directly) with LDAP directories, though I've never configured it that way.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-14 Thread 'Dan White' via Puppet Users 

On August 14, 2019 at 5:15 AM, Martin Alfke  wrote:

Hi Dan,

On 14. Aug 2019, at 04:12, 'Dan White' via Puppet Users 
 wrote:

On Aug 13, 2019, at 9:30 PM, Garrett Honeycutt  
wrote:

On 8/13/19 6:10 PM, 'Dan White' via Puppet Users wrote:
On Aug 13, 2019, at 9:04 PM, 'Dan White' via Puppet Users
mailto:puppet-users@googlegroups.com>>
wrote:

Is there any current documentation about how to create user resources
with an ldap provider ?

Let me be a bit more specific on this question. I am looking for the
setup details to allow Puppet to get the user information from ldap. I
am guessing this is a “read-only” thing and that the user must exist in
ldap before Puppet can use it.

Hi Dan,

Surprised by this idea and curious about your use case. Puppet is better
for modeling resources on a system as opposed to data in an external
database, which is what users are in LDAP. Normally you would use Puppet
to manage local users as well as the setup necessary for nsswitch,
sssd/nscd and pam so the system can resolve users and groups from LDAP.

Best regards,
-g

--
Garrett Honeycutt
Tailored Automation
https://tailoredautomation.io

Hi, Garret

The use case is simple.
Centralized credentials in LDAP.
Minimal local accounts other than system and service users and a non-root admin 
login with sudo permissions as an emergency back door.

We also have lots of appliances, applications, and network devices that can use 
LDAP or RADIUS for authentication. I found multiple references for a FreeRADIUS 
service with the credentials in LDAP.

I see the PE documentation about connecting to an external directory service, 
but it looks like that is only for PE console users and not for Puppet managed 
node user accounts.

Yes. PE external directory refers to PE console logins only.


If I set up the system as you describe with sssd/nsswitch/pam for users defined in 
LDAP, can I then just create appropriate user resources with “provider => ldap” 
and expect the login to be created on the node server ? Or is it like with FreeIPA 
where you just log in with the LDAP credentials and your home directory is created 
the first time ?

You can use the provider ldap to manage users in ldap:
https://puppet.com/docs/puppet/6.6/types/user.html#user-provider-ldap

"This provider requires that you have valid values for all of the LDAP-related 
settings in puppet.conf, including ldapbase. You will almost definitely need settings for 
ldapuser and ldappassword in order for your clients to write to LDAP."

I would try to use that config on a single system with write access to your 
ldap master.

Any other system should just be configured to make use of pam_ldap/sssd using a 
module from puppet forge:
e.g. https://forge.puppet.com/sgnl05/sssd

hth,
Martin

?? Write to LDAP ??  What would it be writing ?  Like I said above: 
I am guessing this is a “read-only” thing and that the user must exist in ldap 
before Puppet can use it.

Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

 

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cd134b63-1911-466a-a3ef-47729f0cacab%40me.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-14 Thread Martin Alfke 
Hi Dan,

> On 14. Aug 2019, at 04:12, 'Dan White' via Puppet Users 
>  wrote:
> 
>> On Aug 13, 2019, at 9:30 PM, Garrett Honeycutt  
>> wrote:
>> 
>>> On 8/13/19 6:10 PM, 'Dan White' via Puppet Users wrote:
>>> On Aug 13, 2019, at 9:04 PM, 'Dan White' via Puppet Users
>>> mailto:puppet-users@googlegroups.com>>
>>> wrote:
>>> 
 Is there any current documentation about how to create user resources
 with an ldap provider ?
>>> 
>>> Let me be a bit more specific on this question.  I am looking for the
>>> setup details to allow Puppet to get the user information from ldap.  I
>>> am guessing this is a “read-only” thing and that the user must exist in
>>> ldap before Puppet can use it.
>> 
>> Hi Dan,
>> 
>> Surprised by this idea and curious about your use case. Puppet is better
>> for modeling resources on a system as opposed to data in an external
>> database, which is what users are in LDAP. Normally you would use Puppet
>> to manage local users as well as the setup necessary for nsswitch,
>> sssd/nscd and pam so the system can resolve users and groups from LDAP.
>> 
>> Best regards,
>> -g
>> 
>> -- 
>> Garrett Honeycutt
>> Tailored Automation
>> https://tailoredautomation.io
> 
> Hi, Garret
> 
> The use case is simple.
> Centralized credentials in LDAP.
> Minimal local accounts other than system and service users and a non-root 
> admin login with sudo permissions as an emergency back door. 
> 
> We also have lots of appliances, applications, and network devices that can 
> use LDAP or RADIUS for authentication. I found multiple references for a 
> FreeRADIUS service with the credentials in LDAP. 
> 
> I see the PE documentation about connecting to an external directory service, 
> but it looks like that is only for PE console users and not for Puppet 
> managed node user accounts. 

Yes. PE external directory refers to PE console logins only.

> 
> If I set up the system as you describe with sssd/nsswitch/pam for users 
> defined in LDAP, can I then just create appropriate user resources with 
> “provider => ldap” and expect the login to be created on the node server ?  
> Or is it like with FreeIPA where you just log in with the LDAP credentials 
> and your home directory is created the first time ?

You can use the provider ldap to manage users in ldap:
https://puppet.com/docs/puppet/6.6/types/user.html#user-provider-ldap

"This provider requires that you have valid values for all of the LDAP-related 
settings in puppet.conf, including ldapbase. You will almost definitely need 
settings for ldapuser and ldappassword in order for your clients to write to 
LDAP."

I would try to use that config on a single system with write access to your 
ldap master.

Any other system should just be configured to make use of pam_ldap/sssd using a 
module from puppet forge:
e.g. https://forge.puppet.com/sgnl05/sssd

hth,
Martin

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9F3899C4-09E3-4D1B-9B36-CBF51417C07B%40gmail.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-13 Thread 'Dan White' via Puppet Users 
> On Aug 13, 2019, at 9:30 PM, Garrett Honeycutt  
> wrote:
> 
>> On 8/13/19 6:10 PM, 'Dan White' via Puppet Users wrote:
>> On Aug 13, 2019, at 9:04 PM, 'Dan White' via Puppet Users
>> mailto:puppet-users@googlegroups.com>>
>> wrote:
>> 
>>> Is there any current documentation about how to create user resources
>>> with an ldap provider ?
>> 
>> Let me be a bit more specific on this question.  I am looking for the
>> setup details to allow Puppet to get the user information from ldap.  I
>> am guessing this is a “read-only” thing and that the user must exist in
>> ldap before Puppet can use it.
> 
> Hi Dan,
> 
> Surprised by this idea and curious about your use case. Puppet is better
> for modeling resources on a system as opposed to data in an external
> database, which is what users are in LDAP. Normally you would use Puppet
> to manage local users as well as the setup necessary for nsswitch,
> sssd/nscd and pam so the system can resolve users and groups from LDAP.
> 
> Best regards,
> -g
> 
> -- 
> Garrett Honeycutt
> Tailored Automation
> https://tailoredautomation.io

Hi, Garret

The use case is simple.
Centralized credentials in LDAP.
Minimal local accounts other than system and service users and a non-root admin 
login with sudo permissions as an emergency back door. 

We also have lots of appliances, applications, and network devices that can use 
LDAP or RADIUS for authentication. I found multiple references for a FreeRADIUS 
service with the credentials in LDAP. 

I see the PE documentation about connecting to an external directory service, 
but it looks like that is only for PE console users and not for Puppet managed 
node user accounts. 

If I set up the system as you describe with sssd/nsswitch/pam for users defined 
in LDAP, can I then just create appropriate user resources with “provider => 
ldap” and expect the login to be created on the node server ?  Or is it like 
with FreeIPA where you just log in with the LDAP credentials and your home 
directory is created the first time ?

—-
"Sometimes I think the surest sign that intelligent life exists elsewhere in 
the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/B780B986-9561-4272-912E-F7173026612C%40icloud.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-13 Thread Garrett Honeycutt 
On 8/13/19 6:10 PM, 'Dan White' via Puppet Users wrote:
> On Aug 13, 2019, at 9:04 PM, 'Dan White' via Puppet Users
> mailto:puppet-users@googlegroups.com>>
> wrote:
> 
>> Is there any current documentation about how to create user resources
>> with an ldap provider ?
> 
> Let me be a bit more specific on this question.  I am looking for the
> setup details to allow Puppet to get the user information from ldap.  I
> am guessing this is a “read-only” thing and that the user must exist in
> ldap before Puppet can use it.
> 
> —-
> 
> "Sometimes I think the surest sign that intelligent life exists
> elsewhere in the universe is that none of it has tried to contact us."
> 
> Bill Waterson (Calvin & Hobbes)
> 
> -- 
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users+unsubscr...@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/F74722AC-1F84-4C4C-8F3B-BF130616144B%40icloud.com
> .

Hi Dan,

Surprised by this idea and curious about your use case. Puppet is better
for modeling resources on a system as opposed to data in an external
database, which is what users are in LDAP. Normally you would use Puppet
to manage local users as well as the setup necessary for nsswitch,
sssd/nscd and pam so the system can resolve users and groups from LDAP.

Best regards,
-g

-- 
Garrett Honeycutt
Tailored Automation
https://tailoredautomation.io

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/73fc8362-c8ea-6077-910d-35a051febf92%40garretthoneycutt.com.

Re: [Puppet Users] LDAP ? User type provider documentation ? Hiera Back End ?

2019-08-13 Thread 'Dan White' via Puppet Users 
> On Aug 13, 2019, at 9:04 PM, 'Dan White' via Puppet Users 
>  wrote:
> 
> Is there any current documentation about how to create user resources with an 
> ldap provider ?

Let me be a bit more specific on this question.  I am looking for the setup 
details to allow Puppet to get the user information from ldap.  I am guessing 
this is a “read-only” thing and that the user must exist in ldap before Puppet 
can use it.

—-
"Sometimes I think the surest sign that intelligent life exists elsewhere in 
the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/F74722AC-1F84-4C4C-8F3B-BF130616144B%40icloud.com.